[DRE-maint] Bug#1089755: rails: CVE-2024-54133: Possible Content Security Policy bypass in Action Dispatch
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 12 10:58:57 GMT 2024
Source: rails
Version: 2:6.1.7.3+dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 2:5.2.0+dfsg-1
Hi,
The following vulnerability was published for rails.
CVE-2024-54133[0]:
| Action Pack is a framework for handling and responding to web
| requests. There is a possible Cross Site Scripting (XSS)
| vulnerability in the `content_security_policy` helper starting in
| version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1,
| 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy
| (CSP) headers dynamically from untrusted user input may be
| vulnerable to carefully crafted inputs being able to inject new
| directives into the CSP. This could lead to a bypass of the CSP and
| its protection against XSS and other attacks. Versions 7.0.8.7,
| 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround,
| applications can avoid setting CSP headers dynamically from
| untrusted input, or can validate/sanitize that input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-54133
https://www.cve.org/CVERecord?id=CVE-2024-54133
[1] https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list