There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.
- CVE-2024-54133
- GHSA-vfm5-rmrh-j26v
Versions affected
- actionpack >= 5.2.0, < 7.0.8.7 (patched in 7.0.8.7)
- actionpack >= 7.1.0, < 7.1.5.1 (patched in 7.1.5.1)
- actionpack >= 7.2.0, < 7.2.2.1 (patched in 7.2.2.1)
- actionpack >= 8.0.0, < 8.0.0.1 (patched in 8.0.0.1)
Impact
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.
Releases
The fixed releases are available at the normal locations.
Workarounds
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
Credits
Thanks to ryotak for the report!
Patches
- 7.0 - https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d.patch
- 7.1 - https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542.patch
- 7.2 - https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a.patch
- 8.0 - https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49.patch