2080302 – (CVE-2022-22577) CVE-2022-22577 rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack

Bug 2080302 (CVE-2022-22577) - CVE-2022-22577 rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack

Summary: CVE-2022-22577 rubygem-actionpack: Possible cross-site scripting vulnerabilit...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-22577
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2080310 2092267
Blocks:	2080315
TreeView+	depends on / blocked

Reported:	2022-04-29 12:57 UTC by Pedro Sampaio
Modified:	2023-05-03 22:45 UTC (History)
CC List:	34 users (show)
Fixed In Version:	rubygem-actionpack 7.0.2.4, rubygem-actionpack 6.1.5.1, rubygem-actionpack 6.0.4.8, rubygem-actionpack 5.2.7.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in rubygem-actionpack where CSP headers were sent with responses that Rails considered "HTML" responses. This flaw allows an attacker to leave API requests without CSP headers and perform a Cross-site scripting attack.
Clone Of:
Environment:
Last Closed:	2023-05-03 22:45:47 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:2097	0	None	None	None	2023-05-03 13:19:22 UTC

Description Pedro Sampaio 2022-04-29 12:57:52 UTC

There is a possible XSS vulnerability in Rails / Action Pack.

References:

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml

Comment 1 Pedro Sampaio 2022-04-29 12:58:50 UTC

Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 2080310]

Comment 3 Jun Aruga 2022-06-01 12:37:15 UTC

> https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
>
> Versions Affected:  >= 5.2.0
> Not affected:       < 5.2.0
> Fixed Versions:     7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Comment 7 errata-xmlrpc 2023-05-03 13:19:20 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097

Comment 8 Product Security DevOps Team 2023-05-03 22:45:43 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22577

Note You need to log in before you can comment on or make changes to this bug.

akarol
amackenz
amasferr
bbuckingham
bcourt
btotty
chazlett
dmetzger
drieden
ehelms
gmccullo
gtanzill
jaruga
jfrey
jhardy
jsherril
lzap
mhulan
mkudlej
mo
nmoumoul
obarenbo
orabin
pcreech
pvalena
rchan
roliveri
ruby-packagers-sig
simaishi
smallamp
sseago
strzibny
tjochec
vondruch