Skip to content

Possible Content Security Policy bypass in Action Dispatch

Low severity GitHub Reviewed Published Dec 10, 2024 in rails/rails • Updated Dec 10, 2024

Package

bundler actionpack (RubyGems)

Affected versions

>= 5.2.0, < 7.0.8.7
>= 7.1.0, < 7.1.5.1
>= 7.2.0, < 7.2.2.1
>= 8.0.0, < 8.0.0.1

Patched versions

7.0.8.7
7.1.5.1
7.2.2.1
8.0.0.1

Description

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

References

@jhawthorn jhawthorn published to rails/rails Dec 10, 2024
Published to the GitHub Advisory Database Dec 10, 2024
Reviewed Dec 10, 2024
Last updated Dec 10, 2024

Severity

Low

Weaknesses

CVE ID

CVE-2024-54133

GHSA ID

GHSA-vfm5-rmrh-j26v

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.