Bug 2290530 (CVE-2024-28103)

Summary: CVE-2024-28103 rubygem-actionpack: Missing security headers in Action Pack on non-HTML responses
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, amasferr, bbuckingham, bcourt, cbartlet, dmayorov, ehelms, ggainey, jlledo, jsherril, juwatts, jvasik, kaycoth, lzap, mhulan, mkudlej, mmakovy, nmoumoul, orabin, pcreech, rblanco, rchan, smallamp, tjochec, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack 6.1.7.8, rubygem-actionpack 7.0.8.2, rubygem-actionpack 7.1.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-actionpack. Since version 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML-related Content-Type. This vulnerability is fixed in versions 6.1.7.8, 7.0.8.2, and 7.1.3.3.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2290531, 2290532, 2290533    
Bug Blocks: 2290529    

Description Rohit Keshri 2024-06-05 08:27:12 UTC 
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.

https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
Comment 1 Rohit Keshri 2024-06-05 08:28:12 UTC 
bash-5.2$ depcli -s  rubygem-actionpack
fedora-all	rubygem-actionpack
rhn_satellite_6	rubygem-actionpack
rhn_satellite_6	satellite:el8/rubygem-actionpack
bash-5.2$ depcli -s  rubygem-actionpack --flaw  2290530
Flaw is missing the following affect entries:

rhn_satellite_6	rubygem-actionpack
rhn_satellite_6	satellite:el8/rubygem-actionpack

Would you like to add them? (y/n): y
Comment 2 Rohit Keshri 2024-06-05 08:30:46 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 2290531]