CVE-2022-22577 – actionpack

Package

Manager: gem
Name: actionpack
Vulnerable Version: >=5.2.0 <5.2.7.1 || >=6.0.0 <6.0.4.8 || >=6.1.0 <6.1.5.1 || >=7.0.0 <7.0.2.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00267 pctl0.49986

Details

Cross-site Scripting Vulnerability in Action Pack There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 ## Impact CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks. ## Releases The FIXED releases are available at the normal locations. ## Workarounds Set a CSP for your API responses manually.

Metadata

Created: 2022-04-27T22:28:59Z
Modified: 2022-06-08T18:05:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-mm33-5vfq-3mm3/GHSA-mm33-5vfq-3mm3.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-mm33-5vfq-3mm3
Finding: F425
Auto approve: 1