-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2022-22577.yml
41 lines (34 loc) · 1.13 KB
/
CVE-2022-22577.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
---
gem: actionpack
framework: rails
cve: 2022-22577
ghsa: mm33-5vfq-3mm3
url: https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
title: Possible XSS Vulnerability in Action Pack
date: 2022-04-27
description: |
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
## Impact
CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.
## Releases
The FIXED releases are available at the normal locations.
## Workarounds
Set a CSP for your API responses manually.
cvss_v3: 6.1
unaffected_versions:
- "< 5.2.0"
patched_versions:
- "~> 5.2.7, >= 5.2.7.1"
- "~> 6.0.4, >= 6.0.4.8"
- "~> 6.1.5, >= 6.1.5.1"
- ">= 7.0.2.4"
related:
url:
- https://github.com/rails/rails/pull/44635
- https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7024-april-26-2022