-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-28103.yml
68 lines (54 loc) · 2.04 KB
/
CVE-2024-28103.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
---
gem: actionpack
framework: rails
cve: 2024-28103
ghsa: fwhr-88qx-h9g7
url: https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
title: Missing security headers in Action Pack on non-HTML responses
date: 2024-06-04
description: |
Permissions-Policy is Only Served on HTML Content-Type
The application configurable Permissions-Policy is only served
on responses with an HTML related Content-Type.
This has been assigned the CVE identifier CVE-2024-28103.
Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4
Impact
------
Responses with a non-HTML Content-Type are not serving the configured
Permissions-Policy. There are certain non-HTML Content-Types that
would benefit from having the Permissions-Policy enforced.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
N/A
Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for the supported release series in accordance with our
[maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues)
regarding security issues. They are in git-am format and consist
of a single changeset.
* 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
* 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
* 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series
Credits
-------
Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!
cvss_v3: 5.4
unaffected_versions:
- "< 6.1.0"
patched_versions:
- "~> 6.1.7, >= 6.1.7.8"
- "~> 7.0.8, >= 7.0.8.4"
- "~> 7.1.3, >= 7.1.3.4"
- ">= 7.2.0.beta2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-28103
- https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
- https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
- https://github.com/advisories/GHSA-fwhr-88qx-h9g7