[Git][security-tracker-team/security-tracker][master] CVE-2024-26144/rails: clarify not-affected rationale

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Sat May 9 21:25:52 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a73ece61 by Sylvain Beucler at 2026-05-09T22:25:46+02:00
CVE-2024-26144/rails: clarify not-affected rationale

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -277950,13 +277950,14 @@ CVE-2021-46907
 CVE-2024-26144 (Rails is a web-application framework. Starting with version 5.2.0, the ...)
 	{DSA-5881-1}
 	- rails 2:7.2.2.1+dfsg-1 (bug #1065119)
-	[bullseye] - rails <not-affected> (vulnerable code not present; introduced in 6.1)
+	[bullseye] - rails <not-affected> (Vulnerable code introduced in 6.1)
 	NOTE: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
 	NOTE: https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433 (v7.0.8.1)
 	NOTE: https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3 (v6.1.7.7)
+	NOTE: Test case: https://github.com/rails/rails/commit/6f65662e70c0e9910166976169fc54ae62a96571 (v8.1.0.beta1)
 	NOTE: Introduced by: https://github.com/rails/rails/commit/dfb5a82b259e134eac89784ac4ace0c44d1b4aee (v6.1.0rc1)
-	NOTE: Proxying was introduced in v6.1.0
+	NOTE: Active Storage Proxy Mode introduced in 6.1, Redirect Mode not affected (Cache-Control: private)
 CVE-2024-27092 (Hoppscotch is an API development ecosystem.  Due to lack of validation ...)
 	NOT-FOR-US: Hoppscotch
 CVE-2024-27088 (es5-ext contains ECMAScript 5 extensions. Passing functions with very  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a73ece6123bcca8b56354cf517db1c62d71a2e68

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a73ece6123bcca8b56354cf517db1c62d71a2e68
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260509/f6fc0743/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list