Bug 2290530 (CVE-2024-28103) - CVE-2024-28103 rubygem-actionpack: Missing security headers in Action Pack on non-HTML responses
Summary: CVE-2024-28103 rubygem-actionpack: Missing security headers in Action Pack on...
Keywords:
Status: NEW
Alias: CVE-2024-28103
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2290531 2290532 2290533
Blocks: 2290529
TreeView+ depends on / blocked
 
Reported: 2024-06-05 08:27 UTC by Rohit Keshri
Modified: 2025-04-07 11:22 UTC (History)
25 users (show)

Fixed In Version: rubygem-actionpack 6.1.7.8, rubygem-actionpack 7.0.8.2, rubygem-actionpack 7.1.3.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-06-05 08:27:12 UTC 
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.

https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
Comment 1 Rohit Keshri 2024-06-05 08:28:12 UTC 
bash-5.2$ depcli -s  rubygem-actionpack
fedora-all	rubygem-actionpack
rhn_satellite_6	rubygem-actionpack
rhn_satellite_6	satellite:el8/rubygem-actionpack
bash-5.2$ depcli -s  rubygem-actionpack --flaw  2290530
Flaw is missing the following affect entries:

rhn_satellite_6	rubygem-actionpack
rhn_satellite_6	satellite:el8/rubygem-actionpack

Would you like to add them? (y/n): y
Comment 2 Rohit Keshri 2024-06-05 08:30:46 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 2290531]
Note You need to log in before you can comment on or make changes to this bug.