Ruby/actionpack/7.2.0.beta1

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

2 Security Vulnerabilities

Missing security headers in Action Pack on non-HTML responses

Published date: 2024-06-04T22:26:24Z
CVE: CVE-2024-28103
Links:

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

  • 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
  • 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
  • 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Affected versions: ["7.2.0.beta1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "6.1.4.3", "6.1.4.2", "6.1.4.4", "6.1.4.6", "6.1.4.5", "6.1.4.7", "6.1.5", "6.1.5.1", "6.1.6", "6.1.6.1", "6.1.7", "6.1.7.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7"]
Secure versions: [7.2.0.beta2, 7.1.3.4, 7.0.8.4]
Recommendation: Update to version 7.1.3.4.

Missing security headers in Action Pack on non-HTML responses

Published date: 2024-06-04
Framework: rails
CVE: 2024-28103
CVSS V3: 5.4
Links:

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

  • 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
  • 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
  • 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Affected versions: ["6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.2", "6.1.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.1.4.6", "6.1.4.5", "7.0.2.3", "6.1.4.7", "6.1.5", "7.0.2.4", "6.1.5.1", "7.0.3", "6.1.6", "7.0.3.1", "6.1.6.1", "7.0.4", "6.1.7", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.2.0.beta1"]
Secure versions: [7.2.0.beta2, 7.1.3.4, 7.0.8.4]
Recommendation: Update to version 7.1.3.4.

472 Other Versions

Version License Security Released
3.0.2 UNKNOWN 75 2010-11-15 - 19:33 over 13 years
3.0.1 UNKNOWN 75 2010-10-14 - 20:55 over 13 years
3.0.0 UNKNOWN 75 2010-08-29 - 23:11 almost 14 years
3.0.0.rc2 UNKNOWN 44 2010-08-24 - 03:04 almost 14 years
3.0.0.rc UNKNOWN 44 2010-07-26 - 21:43 almost 14 years
3.0.0.beta4 UNKNOWN 44 2010-06-08 - 22:30 about 14 years
3.0.0.beta3 UNKNOWN 44 2010-04-13 - 19:22 about 14 years
3.0.0.beta2 UNKNOWN 44 2010-04-01 - 21:24 about 14 years
3.0.0.beta UNKNOWN 44 2010-02-05 - 02:59 over 14 years
2.3.18 UNKNOWN 40 2013-03-18 - 17:12 over 11 years
2.3.17 UNKNOWN 42 2013-02-11 - 18:16 over 11 years
2.3.16 UNKNOWN 42 2013-01-28 - 21:00 over 11 years
2.3.15 UNKNOWN 42 2013-01-08 - 20:06 over 11 years
2.3.14 UNKNOWN 43 2011-08-16 - 22:00 almost 13 years
2.3.12 UNKNOWN 49 2011-06-08 - 00:21 about 13 years
2.3.11 UNKNOWN 49 2011-02-08 - 21:15 over 13 years
2.3.10 UNKNOWN 52 2010-10-14 - 20:52 over 13 years
2.3.9 UNKNOWN 52 2010-09-04 - 21:54 almost 14 years
2.3.9.pre UNKNOWN 52 2010-08-30 - 03:31 almost 14 years
2.3.8 UNKNOWN 52 2010-05-25 - 04:52 about 14 years
2.3.8.pre1 UNKNOWN 52 2010-05-24 - 21:16 about 14 years
2.3.7 UNKNOWN 52 2010-05-24 - 08:22 about 14 years
2.3.6 UNKNOWN 52 2010-05-23 - 07:48 about 14 years
2.3.5 UNKNOWN 52 2009-11-27 - 00:12 over 14 years
2.3.4 UNKNOWN 53 2009-09-04 - 17:33 almost 15 years
2.3.3 UNKNOWN 57 2009-08-04 - 23:43 almost 15 years
2.3.2 UNKNOWN 57 2009-07-25 - 18:36 almost 15 years
2.2.3 UNKNOWN 61 2009-09-28 - 09:22 almost 15 years
2.2.2 UNKNOWN 63 2009-07-25 - 18:36 almost 15 years
2.1.2 UNKNOWN 66 2009-07-25 - 18:36 almost 15 years
2.1.1 UNKNOWN 66 2009-07-25 - 18:36 almost 15 years
2.1.0 UNKNOWN 66 2009-07-25 - 18:36 almost 15 years
2.0.5 UNKNOWN 62 2009-07-25 - 18:36 almost 15 years
2.0.4 UNKNOWN 62 2009-07-25 - 18:36 almost 15 years
2.0.2 UNKNOWN 62 2009-07-25 - 18:36 almost 15 years
2.0.1 UNKNOWN 62 2009-07-25 - 18:36 almost 15 years
2.0.0 UNKNOWN 62 2009-07-25 - 18:36 almost 15 years
1.13.6 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.13.5 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.13.4 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.13.3 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.13.2 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.13.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.13.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.12.5 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.12.4 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.12.3 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.12.2 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.12.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.12.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.11.2 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.11.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.11.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.10.2 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.10.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.9.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.9.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.8.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.8.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.7.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.6.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.5.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.5.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.4.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.3.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.3.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.2.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.1.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.0.1 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
1.0.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
0.9.5 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years
0.9.0 UNKNOWN 56 2009-07-25 - 18:36 almost 15 years