Vulnerability-Lookup

CVE-2024-54133 (GCVE-0-2024-54133)

Vulnerability from cvelistv5 – Published: 2024-12-10 22:52 – Updated: 2025-03-07 00:10

Title

Possible Content Security Policy bypass in Action Dispatch

Summary

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Severity

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/rails/rails/security/advisorie…	x_refsource_CONFIRM
https://github.com/rails/rails/commit/2e3f41e4538…	x_refsource_MISC
https://github.com/rails/rails/commit/3da2479cfe1…	x_refsource_MISC
https://github.com/rails/rails/commit/5558e72f22f…	x_refsource_MISC
https://github.com/rails/rails/commit/cb16a3bb515…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
rails	rails	Affected: >= 5.2.0, < 7.0.8.7 Affected: >= 7.1.0, < 7.1.5.1 Affected: >= 7.2.0, < 7.2.2.1 Affected: >= 8.0.0, < 8.0.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-54133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T16:05:59.623098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T16:06:09.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-07T00:10:45.315Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250306-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rails",
          "vendor": "rails",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.2.0, \u003c 7.0.8.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.1.0, \u003c 7.1.5.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.2.0, \u003c 7.2.2.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.0.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-10T22:52:04.633Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"
        },
        {
          "name": "https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"
        },
        {
          "name": "https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"
        },
        {
          "name": "https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"
        },
        {
          "name": "https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"
        }
      ],
      "source": {
        "advisory": "GHSA-vfm5-rmrh-j26v",
        "discovery": "UNKNOWN"
      },
      "title": "Possible Content Security Policy bypass in Action Dispatch"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-54133",
    "datePublished": "2024-12-10T22:52:04.633Z",
    "dateReserved": "2024-11-29T18:02:16.754Z",
    "dateUpdated": "2025-03-07T00:10:45.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-54133",
      "date": "2026-05-27",
      "epss": "0.0019",
      "percentile": "0.40516"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\"}, {\"lang\": \"es\", \"value\": \"Action Pack es un framework para gestionar y responder a solicitudes web. Existe una posible vulnerabilidad de Cross Site Scripting (XSS) en el asistente `content_security_policy` a partir de la versi\\u00f3n 5.2.0 de Action Pack y anteriores a las versiones 7.0.8.7, 7.1.5.1, 7.2.2.1 y 8.0.0.1. Las aplicaciones que establecen encabezados Content-Security-Policy (CSP) de forma din\\u00e1mica a partir de una entrada de usuario no confiable pueden ser vulnerables a que las entradas cuidadosamente dise\\u00f1adas puedan inyectar nuevas directivas en la CSP. Esto podr\\u00eda provocar una omisi\\u00f3n de la CSP y su protecci\\u00f3n contra XSS y otros ataques. Las versiones 7.0.8.7, 7.1.5.1, 7.2.2.1 y 8.0.0.1 contienen una soluci\\u00f3n. Como workaround, las aplicaciones pueden evitar establecer encabezados CSP de forma din\\u00e1mica a partir de una entrada no confiable, o pueden validar/sanear esa entrada.\"}]",
      "id": "CVE-2024-54133",
      "lastModified": "2024-12-10T23:15:06.240",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 2.3, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"PASSIVE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"LOW\", \"subsequentSystemIntegrity\": \"LOW\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2024-12-10T23:15:06.240",
      "references": "[{\"url\": \"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-54133\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-10T23:15:06.240\",\"lastModified\":\"2025-03-07T01:15:11.650\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\"},{\"lang\":\"es\",\"value\":\"Action Pack es un framework para gestionar y responder a solicitudes web. Existe una posible vulnerabilidad de Cross Site Scripting (XSS) en el asistente `content_security_policy` a partir de la versi\u00f3n 5.2.0 de Action Pack y anteriores a las versiones 7.0.8.7, 7.1.5.1, 7.2.2.1 y 8.0.0.1. Las aplicaciones que establecen encabezados Content-Security-Policy (CSP) de forma din\u00e1mica a partir de una entrada de usuario no confiable pueden ser vulnerables a que las entradas cuidadosamente dise\u00f1adas puedan inyectar nuevas directivas en la CSP. Esto podr\u00eda provocar una omisi\u00f3n de la CSP y su protecci\u00f3n contra XSS y otros ataques. Las versiones 7.0.8.7, 7.1.5.1, 7.2.2.1 y 8.0.0.1 contienen una soluci\u00f3n. Como workaround, las aplicaciones pueden evitar establecer encabezados CSP de forma din\u00e1mica a partir de una entrada no confiable, o pueden validar/sanear esa entrada.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250306-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20250306-0010/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-03-07T00:10:45.315Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-54133\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-11T16:05:59.623098Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-11T16:06:05.368Z\"}}], \"cna\": {\"title\": \"Possible Content Security Policy bypass in Action Dispatch\", \"source\": {\"advisory\": \"GHSA-vfm5-rmrh-j26v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"rails\", \"product\": \"rails\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.2.0, \u003c 7.0.8.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.1.0, \u003c 7.1.5.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.2.0, \u003c 7.2.2.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.0.0, \u003c 8.0.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v\", \"name\": \"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49\", \"name\": \"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a\", \"name\": \"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542\", \"name\": \"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d\", \"name\": \"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-10T22:52:04.633Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-54133\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-07T00:10:45.315Z\", \"dateReserved\": \"2024-11-29T18:02:16.754Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-10T22:52:04.633Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-1060

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Ruby on Rails	actionpack	actionpack versions 7.1.x antérieures à 7.1.5.1
Ruby on Rails	actionpack	actionpack versions 5.2.x à 7.0.x antérieures à 7.0.8.7
Ruby on Rails	actionpack	actionpack versions 8.0.0.x antérieures à 8.0.0.1
Ruby on Rails	actionpack	actionpack versions 7.2.x antérieures à 7.2.2.1

References

Title

Publication Time

CERTFR-2024-AVI-1060

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Ruby on Rails	actionpack	actionpack versions 7.1.x antérieures à 7.1.5.1
Ruby on Rails	actionpack	actionpack versions 5.2.x à 7.0.x antérieures à 7.0.8.7
Ruby on Rails	actionpack	actionpack versions 8.0.0.x antérieures à 8.0.0.1
Ruby on Rails	actionpack	actionpack versions 7.2.x antérieures à 7.2.2.1

References

Title

Publication Time

BDU:2025-00917

Vulnerability from fstec - Published: 10.12.2024

Title

Уязвимость функции content_security_policy расширения Action Pack интерпретатора Ruby, позволяющая нарушителю проводить межсайтовые сценарные атаки(XSS)

Description

Уязвимость функции content_security_policy расширения Action Pack интерпретатора Ruby связана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, проводить межсайтовые сценарные атаки (XSS)

Severity


                    
                      AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N


                    
                      AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vendor

Novell Inc., Red Hat Inc., Сообщество свободного программного обеспечения, ООО «Ред Софт», Ruby Team

Software Name

openSUSE Tumbleweed, Red Hat 3scale API Management Platform, Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Red Hat Satellite, Action Pack

Software Version

- (openSUSE Tumbleweed), 2 (Red Hat 3scale API Management Platform), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 6 (Red Hat Satellite), от 5.2.0 до 7.0.8.7 (Action Pack), от 7.1.0 до 7.1.5.1 (Action Pack), от 7.2.0 до 7.2.2.1 (Action Pack), от 8.0.0 до 8.0.0.1 (Action Pack)

Possible Mitigations

Использование рекомендаций: https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49_x0001_ https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a_x0001_ https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542_x0001_ https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d_x0001_ https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v Для РедОС: https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-rubygem-actionpack-cve-2024-54133/?sphrase_id=643985 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2024-54133 Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2024-54133 Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2024-54133.html

Reference

https://redos.red-soft.ru/support/secure/ https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-rubygem-actionpack-cve-2024-54133/?sphrase_id=643985 https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49_x0001_ https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a_x0001_ https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542_x0001_ https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d_x0001_ https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v https://security-tracker.debian.org/tracker/CVE-2024-54133 https://access.redhat.com/security/cve/cve-2024-54133 https://www.suse.com/security/cve/CVE-2024-54133.html

CWE

CWE-79

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
  "CVSS 4.0": "AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc., Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Ruby Team",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "- (openSUSE Tumbleweed), 2 (Red Hat 3scale API Management Platform), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 6 (Red Hat Satellite), \u043e\u0442 5.2.0 \u0434\u043e 7.0.8.7 (Action Pack), \u043e\u0442 7.1.0 \u0434\u043e 7.1.5.1 (Action Pack), \u043e\u0442 7.2.0 \u0434\u043e 7.2.2.1 (Action Pack), \u043e\u0442 8.0.0 \u0434\u043e 8.0.0.1 (Action Pack)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49_x0001_\nhttps://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a_x0001_\nhttps://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542_x0001_\nhttps://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d_x0001_\nhttps://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttps://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-rubygem-actionpack-cve-2024-54133/?sphrase_id=643985\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2024-54133\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2024-54133\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2024-54133.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "10.12.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "31.01.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "31.01.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-00917",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-54133",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "openSUSE Tumbleweed, Red Hat 3scale API Management Platform, Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Red Hat Satellite, Action Pack",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. openSUSE Tumbleweed - , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 content_security_policy \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f Action Pack \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438(XSS)",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 content_security_policy \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f Action Pack \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 (XSS)",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://redos.red-soft.ru/support/secure/\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-rubygem-actionpack-cve-2024-54133/?sphrase_id=643985\nhttps://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49_x0001_\nhttps://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a_x0001_\nhttps://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542_x0001_\nhttps://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d_x0001_\nhttps://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v\nhttps://security-tracker.debian.org/tracker/CVE-2024-54133\nhttps://access.redhat.com/security/cve/cve-2024-54133\nhttps://www.suse.com/security/cve/CVE-2024-54133.html",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-79",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)\n\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u043e\u0446\u0435\u043d\u043a\u0430 CVSS 4.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 2,3)"
}

bit-rails-2024-54133

Vulnerability from bitnami_vulndb

Published

2025-04-14 11:27

Modified

2025-10-06 09:29

Summary

Possible Content Security Policy bypass in Action Dispatch

Details

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "rails",
        "purl": "pkg:bitnami/rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "7.0.9"
            },
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.4"
            },
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.2-2-0"
            },
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "type": "CVSS_V4"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-54133"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:ruby:*:*"
    ],
    "severity": "Low"
  },
  "details": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.",
  "id": "BIT-rails-2024-54133",
  "modified": "2025-10-06T09:29:51.512Z",
  "published": "2025-04-14T11:27:29.848Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54133"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250306-0010/"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Possible Content Security Policy bypass in Action Dispatch"
}

FKIE_CVE-2024-54133

Vulnerability from fkie_nvd - Published: 2024-12-10 23:15 - Updated: 2026-04-15 00:35

Severity

2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
	security-advisories@github.com	https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
	security-advisories@github.com	https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
	security-advisories@github.com	https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
	security-advisories@github.com	https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
	af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250306-0010/

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input."
    },
    {
      "lang": "es",
      "value": "Action Pack es un framework para gestionar y responder a solicitudes web. Existe una posible vulnerabilidad de Cross Site Scripting (XSS) en el asistente `content_security_policy` a partir de la versi\u00f3n 5.2.0 de Action Pack y anteriores a las versiones 7.0.8.7, 7.1.5.1, 7.2.2.1 y 8.0.0.1. Las aplicaciones que establecen encabezados Content-Security-Policy (CSP) de forma din\u00e1mica a partir de una entrada de usuario no confiable pueden ser vulnerables a que las entradas cuidadosamente dise\u00f1adas puedan inyectar nuevas directivas en la CSP. Esto podr\u00eda provocar una omisi\u00f3n de la CSP y su protecci\u00f3n contra XSS y otros ataques. Las versiones 7.0.8.7, 7.1.5.1, 7.2.2.1 y 8.0.0.1 contienen una soluci\u00f3n. Como workaround, las aplicaciones pueden evitar establecer encabezados CSP de forma din\u00e1mica a partir de una entrada no confiable, o pueden validar/sanear esa entrada."
    }
  ],
  "id": "CVE-2024-54133",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-10T23:15:06.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20250306-0010/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-VFM5-RMRH-J26V

Vulnerability from github – Published: 2024-12-10 22:42 – Updated: 2025-03-07 03:31

Summary

Possible Content Security Policy bypass in Action Dispatch

Details

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Severity

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "7.0.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-54133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-10T22:42:27Z",
    "nvd_published_at": "2024-12-10T23:15:06Z",
    "severity": "LOW"
  },
  "details": "There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.\n\nImpact\n------\nApplications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nApplications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\n\nCredits\n-------\nThanks to [ryotak](https://hackerone.com/ryotak) for the report!",
  "id": "GHSA-vfm5-rmrh-j26v",
  "modified": "2025-03-07T03:31:32Z",
  "published": "2024-12-10T22:42:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250306-0010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Possible Content Security Policy bypass in Action Dispatch"
}

OPENSUSE-SU-2025:14668-1

Vulnerability from csaf_opensuse - Published: 2025-01-21 00:00 - Updated: 2025-01-21 00:00

Summary

ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-14668

CVE-2024-54133

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64	—	Vendor Fix

Threats

Impact low

References

7 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2024-54133/	self
https://www.suse.com/security/cve/CVE-2024-54133	external
https://bugzilla.suse.com/1234365	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14668",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14668-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14668-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WYBFRW6P5ZJ3PZDVWOULBBATCQQTW7R6/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14668-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WYBFRW6P5ZJ3PZDVWOULBBATCQQTW7R6/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-54133 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-54133/"
      }
    ],
    "title": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-21T00:00:00Z",
      "generator": {
        "date": "2025-01-21T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14668-1",
      "initial_release_date": "2025-01-21T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-21T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64",
                  "product_id": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le",
                  "product_id": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x",
                  "product_id": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64",
                  "product_id": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x"
        },
        "product_reference": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-54133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-54133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-54133",
          "url": "https://www.suse.com/security/cve/CVE-2024-54133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234365 for CVE-2024-54133",
          "url": "https://bugzilla.suse.com/1234365"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-21T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2024-54133"
    }
  ]
}

OPENSUSE-SU-2025:14669-1

Vulnerability from csaf_opensuse - Published: 2025-01-21 00:00 - Updated: 2025-01-21 00:00

Summary

ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-14669

CVE-2024-54133

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64	—	Vendor Fix

Threats

Impact low

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2024-54133/	self
https://www.suse.com/security/cve/CVE-2024-54133	external
https://bugzilla.suse.com/1234365	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14669",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14669-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-54133 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-54133/"
      }
    ],
    "title": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-21T00:00:00Z",
      "generator": {
        "date": "2025-01-21T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14669-1",
      "initial_release_date": "2025-01-21T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-21T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64",
                  "product_id": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le",
                  "product_id": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x",
                  "product_id": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64",
                  "product_id": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x"
        },
        "product_reference": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-54133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-54133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-54133",
          "url": "https://www.suse.com/security/cve/CVE-2024-54133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234365 for CVE-2024-54133",
          "url": "https://bugzilla.suse.com/1234365"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailbox-8.0-8.0.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-21T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2024-54133"
    }
  ]
}

OPENSUSE-SU-2025:14670-1

Vulnerability from csaf_opensuse - Published: 2025-01-21 00:00 - Updated: 2025-01-21 00:00

Summary

ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-14670

CVE-2024-54133

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64	—	Vendor Fix

Threats

Impact low

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2024-54133/	self
https://www.suse.com/security/cve/CVE-2024-54133	external
https://bugzilla.suse.com/1234365	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14670",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14670-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-54133 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-54133/"
      }
    ],
    "title": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-21T00:00:00Z",
      "generator": {
        "date": "2025-01-21T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14670-1",
      "initial_release_date": "2025-01-21T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-21T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64",
                  "product_id": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le",
                  "product_id": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x",
                  "product_id": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64",
                  "product_id": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-54133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-54133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-54133",
          "url": "https://www.suse.com/security/cve/CVE-2024-54133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234365 for CVE-2024-54133",
          "url": "https://bugzilla.suse.com/1234365"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-8.0-8.0.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-21T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2024-54133"
    }
  ]
}

OPENSUSE-SU-2025:14671-1

Vulnerability from csaf_opensuse - Published: 2025-01-21 00:00 - Updated: 2025-01-21 00:00

Summary

ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-14671

CVE-2024-54133

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64	—	Vendor Fix

Threats

Impact low

References

7 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2024-54133/	self
https://www.suse.com/security/cve/CVE-2024-54133	external
https://bugzilla.suse.com/1234365	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14671",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14671-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14671-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UJTHTQ5QR4QSMGFPEY374EL3USFU3N3T/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14671-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UJTHTQ5QR4QSMGFPEY374EL3USFU3N3T/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-54133 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-54133/"
      }
    ],
    "title": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-21T00:00:00Z",
      "generator": {
        "date": "2025-01-21T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14671-1",
      "initial_release_date": "2025-01-21T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-21T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64",
                  "product_id": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le",
                  "product_id": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x",
                  "product_id": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64",
                  "product_id": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x"
        },
        "product_reference": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-54133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-54133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-54133",
          "url": "https://www.suse.com/security/cve/CVE-2024-54133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234365 for CVE-2024-54133",
          "url": "https://bugzilla.suse.com/1234365"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-21T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2024-54133"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-54133 (GCVE-0-2024-54133)

Solutions

Solutions

Vulnerability from bitnami_vulndb

Impact

Releases

Workarounds

Credits

Tags

Sightings

Nomenclature