github - ghsa-mm33-5vfq-3mm3

GHSA-MM33-5VFQ-3MM3

Vulnerability from github – Published: 2022-04-27 22:28 – Updated: 2022-06-08 18:05

Summary

Cross-site Scripting Vulnerability in Action Pack

Details

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.7.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.4.7"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.1.5.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.2.3"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-22577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-27T22:28:59Z",
    "nvd_published_at": "2022-05-26T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been\nassigned the CVE identifier CVE-2022-22577.\n\nVersions Affected:  \u003e= 5.2.0\nNot affected:       \u003c 5.2.0\nFixed Versions:     7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nCSP headers were only sent along with responses that Rails considered as\n\"HTML\" responses.  This left API requests without CSP headers, which could\npossibly expose users to XSS attacks.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nSet a CSP for your API responses manually.",
  "id": "GHSA-mm33-5vfq-3mm3",
  "modified": "2022-06-08T18:05:30Z",
  "published": "2022-04-27T22:28:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/pull/44635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221118-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting Vulnerability in Action Pack"
}

GSD-2022-22577

Vulnerability from gsd - Updated: 2022-04-27 00:00

Details

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 ## Impact CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks. ## Releases The FIXED releases are available at the normal locations. ## Workarounds Set a CSP for your API responses manually.

Aliases

CVE-2022-22577

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-22577",
    "description": "An XSS Vulnerability in Action Pack \u003e= 5.2.0 and \u003c 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.",
    "id": "GSD-2022-22577",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-22577.html",
      "https://www.debian.org/security/2023/dsa-5372"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "actionpack",
            "purl": "pkg:gem/actionpack"
          }
        }
      ],
      "aliases": [
        "CVE-2022-22577",
        "GHSA-mm33-5vfq-3mm3"
      ],
      "details": "There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been\nassigned the CVE identifier CVE-2022-22577.\n\nVersions Affected:  \u003e= 5.2.0\nNot affected:       \u003c 5.2.0\nFixed Versions:     7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nCSP headers were only sent along with responses that Rails considered as\n\"HTML\" responses.  This left API requests without CSP headers, which could\npossibly expose users to XSS attacks.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nSet a CSP for your API responses manually.",
      "id": "GSD-2022-22577",
      "modified": "2022-04-27T00:00:00.000Z",
      "published": "2022-04-27T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rails/rails/pull/44635"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7024-april-26-2022"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 6.1,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Possible XSS Vulnerability in Action Pack"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2022-22577",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An XSS Vulnerability in Action Pack \u003e= 5.2.0 and \u003c 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533",
            "refsource": "MISC",
            "url": "https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533"
          },
          {
            "name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20221118-0002/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20221118-0002/"
          },
          {
            "name": "DSA-5372",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2023/dsa-5372"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-22577",
      "cvss_v3": 6.1,
      "date": "2022-04-27",
      "description": "There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been\nassigned the CVE identifier CVE-2022-22577.\n\nVersions Affected:  \u003e= 5.2.0\nNot affected:       \u003c 5.2.0\nFixed Versions:     7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nCSP headers were only sent along with responses that Rails considered as\n\"HTML\" responses.  This left API requests without CSP headers, which could\npossibly expose users to XSS attacks.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nSet a CSP for your API responses manually.",
      "framework": "rails",
      "gem": "actionpack",
      "ghsa": "mm33-5vfq-3mm3",
      "patched_versions": [
        "~\u003e 5.2.7, \u003e= 5.2.7.1",
        "~\u003e 6.0.4, \u003e= 6.0.4.8",
        "~\u003e 6.1.5, \u003e= 6.1.5.1",
        "\u003e= 7.0.2.4"
      ],
      "related": {
        "url": [
          "https://github.com/rails/rails/pull/44635",
          "https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7024-april-26-2022"
        ]
      },
      "title": "Possible XSS Vulnerability in Action Pack",
      "unaffected_versions": [
        "\u003c 5.2.0"
      ],
      "url": "https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.2.0 \u003c5.2.7.1||\u003e=6.0.0 \u003c6.0.4.8||\u003e=6.1.0 \u003c6.1.5.1||\u003e=7.0.0 \u003c7.0.2.4",
          "affected_versions": "All versions starting from 5.2.0 before 5.2.7.1, all versions starting from 6.0.0 before 6.0.4.8, all versions starting from 6.1.0 before 6.1.5.1, all versions starting from 7.0.0 before 7.0.2.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-03-14",
          "description": "An XSS Vulnerability in Action Pack \u003e= 5.2.0 and \u003c 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.",
          "fixed_versions": [
            "5.2.7.1",
            "6.0.4.8",
            "6.1.5.1",
            "7.0.2.4"
          ],
          "identifier": "CVE-2022-22577",
          "identifiers": [
            "CVE-2022-22577",
            "GHSA-mm33-5vfq-3mm3",
            "GMS-2022-1137"
          ],
          "not_impacted": "All versions before 5.2.0, all versions starting from 5.2.7.1 before 6.0.0, all versions starting from 6.0.4.8 before 6.1.0, all versions starting from 6.1.5.1 before 7.0.0, all versions starting from 7.0.2.4",
          "package_slug": "gem/actionpack",
          "pubdate": "2022-05-26",
          "solution": "Upgrade to versions 5.2.7.1, 6.0.4.8, 6.1.5.1, 7.0.2.4 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-22577",
            "https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533",
            "https://github.com/rails/rails/pull/44635",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml",
            "https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI",
            "https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released",
            "https://github.com/advisories/GHSA-mm33-5vfq-3mm3"
          ],
          "uuid": "a6b294f3-1dc4-4f88-9c23-62156988970d"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions starting from 5.2.0 up to 5.2.7.0, all versions starting from 6.0.0 up to 6.0.4.7, all versions starting from 6.1.0 up to 6.1.5.0, all versions starting from 7.0.0 up to 7.0.2.3",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-04-27",
          "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in actionpack.",
          "fixed_versions": [
            "5.2.7.1",
            "6.0.4.8",
            "6.1.5.1",
            "7.0.2.4"
          ],
          "identifier": "GMS-2022-1137",
          "identifiers": [
            "GHSA-mm33-5vfq-3mm3",
            "GMS-2022-1137",
            "CVE-2022-22577"
          ],
          "not_impacted": "All versions before 5.2.0, all versions after 5.2.7.0 before 6.0.0, all versions after 6.0.4.7 before 6.1.0, all versions after 6.1.5.0 before 7.0.0, all versions after 7.0.2.3",
          "package_slug": "gem/actionpack",
          "pubdate": "2022-04-27",
          "solution": "Upgrade to versions 5.2.7.1, 6.0.4.8, 6.1.5.1, 7.0.2.4 or above.",
          "title": "Duplicate of ./gem/actionpack/CVE-2022-22577.yml",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-22577",
            "https://github.com/rails/rails/pull/44635",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml",
            "https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI",
            "https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released",
            "https://github.com/advisories/GHSA-mm33-5vfq-3mm3"
          ],
          "uuid": "f7656165-cd95-4a51-8447-c23f1d90c1da"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:actionpack:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.0.2.4",
                "versionStartIncluding": "7.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:actionpack:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.1.5.1",
                "versionStartIncluding": "6.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:actionpack:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.4.8",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:actionpack:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.7.1",
                "versionStartIncluding": "5.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2022-22577"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An XSS Vulnerability in Action Pack \u003e= 5.2.0 and \u003c 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533"
            },
            {
              "name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20221118-0002/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20221118-0002/"
            },
            {
              "name": "DSA-5372",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "https://www.debian.org/security/2023/dsa-5372"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-03-14T08:15Z",
      "publishedDate": "2022-05-26T17:15Z"
    }
  }
}

CVE-2022-22577 (GCVE-0-2022-22577)

Vulnerability from cvelistv5 – Published: 2022-05-26 00:00 – Updated: 2024-08-03 03:14

Summary

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Severity ?

No CVSS data available.

CWE

CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)

Assigner

hackerone

References

URL

	Vendor	Product	Version
	n/a	https://github.com/rails/rails	Affected: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted