[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

1,010 views
Skip to first unread message

Aaron Patterson

unread,
Apr 26, 2022, 3:53:14 PM4/26/22
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been

assigned the CVE identifier CVE-2022-22577.


Versions Affected:  >= 5.2.0

Not affected:       < 5.2.0

Fixed Versions:     7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1


Impact

------

CSP headers were only sent along with responses that Rails considered as

"HTML" responses.  This left API requests without CSP headers, which could

possibly expose users to XSS attacks.


Releases

--------

The FIXED releases are available at the normal locations.


Workarounds

-----------

Set a CSP for your API responses manually.


Patches

-------

To aid users who aren't able to upgrade immediately we have provided patches for

the two supported release series. They are in git-am format and consist of a

single changeset.


* 5-2-csp-xss.patch - Patch for 5.2 series

* 6-0-csp-xss.patch - Patch for 6.0 series

* 6-1-csp-xss.patch - Patch for 6.1 series

* 7-0-csp-xss.patch - Patch for 7.0 series


Credits

-------


Thank you Tim Wade for making the patch, and thank you

[thorsteneckel](https://hackerone.com/thorsteneckel?type=user) for reporting

this issue.



5-2-csp-xss.patch
7-0-csp-xss.patch
6-1-csp-xss.patch
6-0-csp-xss.patch
Reply all
Reply to author
Forward
0 new messages