Source: rails Version: 2:6.1.7.3+dfsg-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2:5.2.0+dfsg-1
Hi, The following vulnerability was published for rails. CVE-2024-54133[0]: | Action Pack is a framework for handling and responding to web | requests. There is a possible Cross Site Scripting (XSS) | vulnerability in the `content_security_policy` helper starting in | version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, | 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy | (CSP) headers dynamically from untrusted user input may be | vulnerable to carefully crafted inputs being able to inject new | directives into the CSP. This could lead to a bypass of the CSP and | its protection against XSS and other attacks. Versions 7.0.8.7, | 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, | applications can avoid setting CSP headers dynamically from | untrusted input, or can validate/sanitize that input. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-54133 https://www.cve.org/CVERecord?id=CVE-2024-54133 [1] https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
