actionpack 7.0.0.alpha2
Possible exposure of information vulnerability in Action Pack
high severity CVE-2022-23633~> 5.2.6, >= 5.2.6.2
, ~> 6.0.4, >= 6.0.4.6
, ~> 6.1.4, >= 6.1.4.6
, >= 7.0.2.2
< 5.0.0
Impact
Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack
middleware. In the event a response is not notified of a close
,
ActionDispatch::Executor
will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with ActiveSupport::CurrentAttributes
.
Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
Possible XSS via User Supplied Values to redirect_to
medium severity CVE-2023-28362~> 6.1.7.4
, >= 7.0.5.1
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.
Possible XSS Vulnerability in Action Pack
medium severity CVE-2022-22577~> 5.2.7, >= 5.2.7.1
, ~> 6.0.4, >= 6.0.4.8
, ~> 6.1.5, >= 6.1.5.1
, >= 7.0.2.4
< 5.2.0
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
Impact
CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks.
Releases
The FIXED releases are available at the normal locations.
Workarounds
Set a CSP for your API responses manually.
Possible Open Redirect in Host Authorization Middleware
medium severity CVE-2021-44528~> 6.0.4, >= 6.0.4.2
, ~> 6.1.4, >= 6.1.4.2
, >= 7.0.0.rc2
< 6.0.0
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.
Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.
Releases
The fixed releases are available at the normal locations.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
- 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
- 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
ReDoS based DoS vulnerability in Action Dispatch
low severity CVE-2023-22795~> 5.2.8, >= 5.2.8.15
, ~> 6.1.7, >= 6.1.7.1
, >= 7.0.4.1
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
ReDoS based DoS vulnerability in Action Dispatch
low severity CVE-2023-22792~> 5.2.8, >= 5.2.8.15
, ~> 6.1.7, >= 6.1.7.1
, >= 7.0.4.1
< 3.0.0
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.
Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.