-
Notifications
You must be signed in to change notification settings - Fork 348
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
835f9ea
commit 748d44d
Showing
2 changed files
with
212 additions
and
0 deletions.
There are no files selected for viewing
125 changes: 125 additions & 0 deletions
125
advisories/github-reviewed/2024/06/GHSA-fwhr-88qx-h9g7/GHSA-fwhr-88qx-h9g7.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-fwhr-88qx-h9g7", | ||
| "modified": "2024-06-04T22:26:24Z", | ||
| "published": "2024-06-04T22:26:24Z", | ||
| "aliases": [ | ||
| "CVE-2024-28103" | ||
| ], | ||
| "summary": "Missing security headers in Action Pack on non-HTML responses", | ||
| "details": "# Permissions-Policy is Only Served on HTML Content-Type\n\nThe application configurable Permissions-Policy is only served on responses\nwith an HTML related Content-Type.\n\nThis has been assigned the CVE identifier CVE-2024-28103.\n\n\nVersions Affected: >= 6.1.0\nNot affected: < 6.1.0\nFixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4\n\nImpact\n------\nResponses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nN/A\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe supported release series in accordance with our \n[maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues)\nregarding security issues. They are in git-am format and consist of a\nsingle changeset.\n\n* 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series\n* 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series\n* 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series\n\n\n\nCredits\n-------\n\nThank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "6.1.0" | ||
| }, | ||
| { | ||
| "fixed": "6.1.7.8" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.0.0" | ||
| }, | ||
| { | ||
| "fixed": "7.0.8.4" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.1.0" | ||
| }, | ||
| { | ||
| "fixed": "7.1.3.4" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.2.0.beta1" | ||
| }, | ||
| { | ||
| "fixed": "7.2.0.beta2" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "versions": [ | ||
| "7.2.0.beta1" | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28103" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/rails/rails" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-20" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-06-04T22:26:24Z", | ||
| "nvd_published_at": "2024-06-04T20:15:10Z" | ||
| } | ||
| } |
87 changes: 87 additions & 0 deletions
87
advisories/github-reviewed/2024/06/GHSA-prjp-h48f-jgf6/GHSA-prjp-h48f-jgf6.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-prjp-h48f-jgf6", | ||
| "modified": "2024-06-04T22:26:22Z", | ||
| "published": "2024-06-04T22:26:22Z", | ||
| "aliases": [ | ||
| "CVE-2024-32464" | ||
| ], | ||
| "summary": "ActionText ContentAttachment can Contain Unsanitized HTML", | ||
| "details": "Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML.\n\nThis has been assigned the CVE identifier CVE-2024-32464.\n\n\nVersions Affected: >= 7.1.0\nNot affected: < 7.1.0\nFixed Versions: 7.1.3.4\n\nImpact\n------\nThis could lead to a potential cross site scripting issue within the Trix editor.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nN/A\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset.\n\n* action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series\n\n\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actiontext" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.1.0" | ||
| }, | ||
| { | ||
| "fixed": "7.1.3.4" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actiontext" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.2.0.beta1" | ||
| }, | ||
| { | ||
| "fixed": "7.2.0.beta2" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "versions": [ | ||
| "7.2.0.beta1" | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32464" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/rails/rails" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-06-04T22:26:22Z", | ||
| "nvd_published_at": "2024-06-04T20:15:11Z" | ||
| } | ||
| } |