Package Instance

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_url	https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240119-0013/

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id	1005389
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id	2063149
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_id

CVE-2022-23633

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_url	https://access.redhat.com/errata/RHSA-2022:5498
reference_id	RHSA-2022:5498
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5498

fixed_packages

url pkg:gem/actionpack@6.0.4.6

purl pkg:gem/actionpack@6.0.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.6

url pkg:gem/actionpack@6.1.0.rc1

purl pkg:gem/actionpack@6.1.0.rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.0.rc1

url pkg:gem/actionpack@6.1.4.6

purl pkg:gem/actionpack@6.1.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.6

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.2.2

purl pkg:gem/actionpack@7.0.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.2

aliases CVE-2022-23633, GHSA-wh98-p28r-vrc9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2fra-ffky-97ce

url VCID-37qm-tp8v-tugb

vulnerability_id VCID-37qm-tp8v-tugb

summary

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's
HTTP Token authentication. This vulnerability has been assigned
the CVE identifier CVE-2024-47887.

## Impact

For applications using HTTP Token authentication via
`authenticate_or_request_with_http_token` or similar, a carefully
crafted header may cause header parsing to take an unexpected amount
of time, possibly resulting in a DoS vulnerability. All users running
an affected release should either upgrade or apply the relevant
patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications
using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
on Ruby 3.2 or greater so is unaffected.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Users on Ruby 3.2 are unaffected by this issue.

## Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-47887

reference_id

reference_type

scores

value	0.00273
scoring_system	epss
scoring_elements	0.5093
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-47887

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id	1085376
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id	2319034
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2319034

reference_url

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

reference_id

56b2fc3302836405b496e196a8d5fc0195e55049

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

reference_url

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

reference_id

7c1398854d51f9bb193fb79f226647351133d08a

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

reference_url

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_id

8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-47887
reference_id	CVE-2024-47887
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-47887

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml

reference_id

CVE-2024-47887.YML

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml

reference_url

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_id

f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_url

https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

reference_id

GHSA-vfg9-r3fq-jvx4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

reference_url	https://usn.ubuntu.com/7290-1/
reference_id	USN-7290-1
reference_type
scores
url	https://usn.ubuntu.com/7290-1/

fixed_packages

url pkg:gem/actionpack@6.1.7.9

purl pkg:gem/actionpack@6.1.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.8.5

purl pkg:gem/actionpack@7.0.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.4.1

purl pkg:gem/actionpack@7.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.1.1

purl pkg:gem/actionpack@7.2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-37qm-tp8v-tugb

url VCID-4uv1-e1me-hqb3

vulnerability_id VCID-4uv1-e1me-hqb3

summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-27777

reference_id

reference_type

scores

value	0.01409
scoring_system	epss
scoring_elements	0.80853
published_at	2026-06-05T12:55:00Z

value	0.01409
scoring_system	epss
scoring_elements	0.80827
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

reference_url

https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-27777

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
reference_id	1016982
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2080296
reference_id	2080296
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2080296

reference_url

reference_id

CVE-2022-27777

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-27777

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml

reference_id

CVE-2022-27777.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml

reference_url

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

reference_id

GHSA-ch3h-j2vf-95pv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/actionpack@6.0.4.8

purl pkg:gem/actionpack@6.0.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8

url pkg:gem/actionpack@6.1.5.1

purl pkg:gem/actionpack@6.1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1

url pkg:gem/actionpack@7.0.2.4

purl pkg:gem/actionpack@7.0.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4

aliases CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4uv1-e1me-hqb3

url VCID-9t5z-1umq-qbe4

vulnerability_id VCID-9t5z-1umq-qbe4

summary

Possible Open Redirect Vulnerability in Action Pack
There is a possible Open Redirect Vulnerability in Action Pack. This
vulnerability has been assigned the CVE identifier CVE-2021-22903.

Versions Affected:  >= v6.1.0.rc2
Not affected:       < v6.1.0.rc2
Fixed Versions:     6.1.3.2

Impact
------
This is similar to CVE-2021-22881: Specially crafted Host headers in
combination with certain "allowed host" formats can cause the Host
Authorization middleware in Action Pack to redirect users to a malicious
website.

Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading
dot are converted to regular expressions without proper escaping. This causes,
for example, config.hosts << "sub.example.com" to permit a request with a Host
header value of sub-example.com.

Workarounds
-----------
The following monkey patch put in an initializer can be used as a workaround:

```ruby
class ActionDispatch::HostAuthorization::Permissions
  def sanitize_string(host)
    if host.start_with?(".")
      /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
    else
      /\A#{Regexp.escape host}\z/i
    end
  end
end
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22903

reference_id

reference_type

scores

value	0.00096
scoring_system	epss
scoring_elements	0.26606
published_at	2026-06-05T12:55:00Z

value	0.00096
scoring_system	epss
scoring_elements	0.26504
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22903

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0

reference_url

https://hackerone.com/reports/1148025

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1148025

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1957438
reference_id	1957438
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1957438

reference_url

https://security.archlinux.org/AVG-1919

reference_id

AVG-1919

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1919

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22903

reference_id

CVE-2021-22903

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22903

fixed_packages

url pkg:gem/actionpack@6.1.3.2

purl pkg:gem/actionpack@6.1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2

aliases CVE-2021-22903, GHSA-5hq2-xf89-9jxq

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9t5z-1umq-qbe4

url VCID-bfqq-ypyw-dycj

vulnerability_id VCID-bfqq-ypyw-dycj

summary

Rails has possible XSS Vulnerability in Action Controller
# Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(`translate`, `t`, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected:  >= 7.0.0.
Not affected:       < 7.0.0
Fixed Versions:     7.1.3.1, 7.0.8.1

Impact
------
Applications using translation methods like `translate`, or `t` on a
controller, with a key ending in "_html", a `:default` key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

```ruby
class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end
```

To reiterate the pre-conditions, applications must:

* Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from
  a view)
* Use a key that ends in `_html`
* Use a default value where the default value is untrusted and unescaped input
* Send the text to the victim (whether that's part of a template, or a
  `render` call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

*  7-0-translate-xss.patch - Patch for 7.0 series
*  7-1-translate-xss.patch - Patch for 7.1 series

Credits
-------

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json

reference_id

reference_type

scores

value	4.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26143

reference_id

reference_type

scores

value	0.02067
scoring_system	epss
scoring_elements	0.84271
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26143

reference_url

https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc

reference_url

https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e

reference_url

https://security.netapp.com/advisory/ntap-20240510-0004

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240510-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2266388
reference_id	2266388
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2266388

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26143

reference_id

CVE-2024-26143

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26143

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml

reference_id

CVE-2024-26143.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml

reference_url

https://github.com/advisories/GHSA-9822-6m93-xqf4

reference_id

GHSA-9822-6m93-xqf4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9822-6m93-xqf4

reference_url

https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4

reference_id

GHSA-9822-6m93-xqf4

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4

reference_url

https://security.netapp.com/advisory/ntap-20240510-0004/

reference_id

ntap-20240510-0004

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://security.netapp.com/advisory/ntap-20240510-0004/

fixed_packages

url pkg:gem/actionpack@7.0.8.1

purl pkg:gem/actionpack@7.0.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.1

url pkg:gem/actionpack@7.1.3.1

purl pkg:gem/actionpack@7.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1

aliases CVE-2024-26143, GHSA-9822-6m93-xqf4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bfqq-ypyw-dycj

url VCID-cuqq-33dv-xqfh

vulnerability_id VCID-cuqq-33dv-xqfh

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22885

reference_id

reference_type

scores

value	0.01264
scoring_system	epss
scoring_elements	0.79805
published_at	2026-06-05T12:55:00Z

value	0.01264
scoring_system	epss
scoring_elements	0.7978
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

reference_url

https://hackerone.com/reports/1106652

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1106652

reference_url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_url	https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210805-0009/

reference_url	https://www.debian.org/security/2021/dsa-4929
reference_id
reference_type
scores
url	https://www.debian.org/security/2021/dsa-4929

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1957441
reference_id	1957441
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1957441

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id	988214
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214

reference_url

reference_id

AVG-1920

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-1921

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2090

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2223

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22885

reference_url

reference_id

CVE-2021-22885

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22885

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

fixed_packages

url pkg:gem/actionpack@6.0.3.7

purl pkg:gem/actionpack@6.0.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7

url pkg:gem/actionpack@6.1.3.1

purl pkg:gem/actionpack@6.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.1

url pkg:gem/actionpack@6.1.3.2

purl pkg:gem/actionpack@6.1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2

aliases CVE-2021-22885, GHSA-hjg4-8q5f-x6fm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cuqq-33dv-xqfh

url VCID-egdx-4qqa-guh1

vulnerability_id VCID-egdx-4qqa-guh1

summary

Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-28362

reference_id

reference_type

scores

value	0.00207
scoring_system	epss
scoring_elements	0.43036
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-28362

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362

reference_url

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3
scoring_elements

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

reference_url

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

reference_url

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

reference_url

https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23

reference_url

https://security.netapp.com/advisory/ntap-20250502-0009

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250502-0009

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id	1051058
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id	2217785
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2217785

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-28362

reference_id

CVE-2023-28362

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-28362

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

reference_id

CVE-2023-28362.YML

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

reference_url

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

reference_id

GHSA-4g8v-vg43-wpgf

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

reference_url	https://access.redhat.com/errata/RHSA-2023:7851
reference_id	RHSA-2023:7851
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7851

fixed_packages

url pkg:gem/actionpack@6.1.7.4

purl pkg:gem/actionpack@6.1.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.4

url pkg:gem/actionpack@7.0.5.1

purl pkg:gem/actionpack@7.0.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.5.1

aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-egdx-4qqa-guh1

url VCID-f7bp-x4q3-jbeh

vulnerability_id VCID-f7bp-x4q3-jbeh

summary

Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 4.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters.  Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the above
example.

Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8164

reference_id

reference_type

scores

value	0.07389
scoring_system	epss
scoring_elements	0.91878
published_at	2026-06-05T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91866
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml

reference_url

https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

reference_url

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

reference_url

https://hackerone.com/reports/292797

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/292797

reference_url

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

reference_url

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8164

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1842634
reference_id	1842634
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1842634

reference_url

reference_id

CVE-2020-8164

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8164

reference_url

https://github.com/advisories/GHSA-8727-m6gj-mc37

reference_id

GHSA-8727-m6gj-mc37

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8727-m6gj-mc37

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

fixed_packages

url pkg:gem/actionpack@6.0.3.1

purl pkg:gem/actionpack@6.0.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-hxcf-k4te-h3gu

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-uusn-n8vk-2bcm

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1

aliases CVE-2020-8164, GHSA-8727-m6gj-mc37

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f7bp-x4q3-jbeh

url VCID-h52p-drh6-xfg4

vulnerability_id VCID-h52p-drh6-xfg4

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22902

reference_id

reference_type

scores

value	0.00677
scoring_system	epss
scoring_elements	0.71945
published_at	2026-06-05T12:55:00Z

value	0.00677
scoring_system	epss
scoring_elements	0.71906
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22902

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c

reference_url

https://hackerone.com/reports/1138654

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1138654

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1961382
reference_id	1961382
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1961382

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id	988214
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214

reference_url

reference_id

AVG-2090

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2223

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22902

reference_url

reference_id

CVE-2021-22902

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22902

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

fixed_packages

url pkg:gem/actionpack@6.0.3.7

purl pkg:gem/actionpack@6.0.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7

url pkg:gem/actionpack@6.1.1

purl pkg:gem/actionpack@6.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.1

url pkg:gem/actionpack@6.1.3.2

purl pkg:gem/actionpack@6.1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2

aliases CVE-2021-22902, GHSA-g8ww-46x2-2p65

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h52p-drh6-xfg4

url VCID-hdfr-q55f-xka7

vulnerability_id VCID-hdfr-q55f-xka7

summary

Ability to forge per-form CSRF tokens given a global CSRF token
It is possible to possible to, given a global CSRF token such as the one
present in the authenticity_token meta tag, forge a per-form CSRF token for
any action for that session.

Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications without existing HTML injection vulnerabilities.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Given the ability to extract the global CSRF token, an attacker would be able to
construct a per-form CSRF token for that session.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8166

reference_id

reference_type

scores

value	0.00443
scoring_system	epss
scoring_elements	0.63675
published_at	2026-06-05T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63633
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

reference_url

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

reference_url

https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/

url

https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw

reference_url

https://hackerone.com/reports/732415

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/

url

https://hackerone.com/reports/732415

reference_url

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8166

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1843152
reference_id	1843152
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1843152

reference_url

reference_id

CVE-2020-8166

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8166

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml

reference_id

CVE-2020-8166.YML

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml

reference_url

https://github.com/advisories/GHSA-jp5v-5gx4-jmj9

reference_id

GHSA-jp5v-5gx4-jmj9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jp5v-5gx4-jmj9

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

fixed_packages

url pkg:gem/actionpack@6.0.3.1

purl pkg:gem/actionpack@6.0.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-hxcf-k4te-h3gu

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-uusn-n8vk-2bcm

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1

aliases CVE-2020-8166, GHSA-jp5v-5gx4-jmj9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hdfr-q55f-xka7

url VCID-hxcf-k4te-h3gu

vulnerability_id VCID-hxcf-k4te-h3gu

summary

Untrusted users able to run pending migrations in production
There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed
an untrusted user to run any pending migrations on a Rails app running in
production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected:  6.0.0 < rails < 6.0.3.2
Not affected:       Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production)
Fixed Versions:     rails >= 6.0.3.2

Impact
------

Using this issue, an attacker would be able to execute any migrations that
are pending for a Rails app running in production mode. It is important to
note that an attacker is limited to running migrations the application
developer has already defined in their application and ones that have not
already ran.

Workarounds
-----------

Until such time as the patch can be applied, application developers should
disable the ActionDispatch middleware in their production environment via
a line such as this one in their config/environment/production.rb:

`config.middleware.delete ActionDispatch::ActionableExceptions`

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8185.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8185.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8185

reference_id

reference_type

scores

value	0.00679
scoring_system	epss
scoring_elements	0.71997
published_at	2026-06-05T12:55:00Z

value	0.00679
scoring_system	epss
scoring_elements	0.71957
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8185

reference_url

https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0

reference_url

https://hackerone.com/reports/899069

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/899069

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1852380
reference_id	1852380
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1852380

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964081
reference_id	964081
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964081

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8185

reference_id

CVE-2020-8185

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8185

reference_url

https://github.com/advisories/GHSA-c6qr-h5vq-59jc

reference_id

GHSA-c6qr-h5vq-59jc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c6qr-h5vq-59jc

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

fixed_packages

url pkg:gem/actionpack@6.0.3.2

purl pkg:gem/actionpack@6.0.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-uusn-n8vk-2bcm

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.2

aliases CVE-2020-8185, GHSA-c6qr-h5vq-59jc

risk_score 3.2

exploitability 0.5

weighted_severity 6.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hxcf-k4te-h3gu

url VCID-n798-maqx-y3c9

vulnerability_id VCID-n798-maqx-y3c9

summary

Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected:  >= 7.1.0, < 7.1.3.1
Not affected:       < 7.1.0
Fixed Versions:     7.1.3.1

Impact
------
Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability.  All users running an affected release should either upgrade or
use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 7-1-accept-redox.patch - Patch for 7.1 series

Credits
-------
Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26142

reference_id

reference_type

scores

value	0.03542
scoring_system	epss
scoring_elements	0.87908
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26142

reference_url

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2266324
reference_id	2266324
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2266324

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

reference_id

CVE-2024-26142

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

reference_id

CVE-2024-26142.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

reference_url

https://github.com/advisories/GHSA-jjhx-jhvp-74wq

reference_id

GHSA-jjhx-jhvp-74wq

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jjhx-jhvp-74wq

reference_url

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

reference_id

GHSA-jjhx-jhvp-74wq

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

reference_url

https://security.netapp.com/advisory/ntap-20240503-0003/

reference_id

ntap-20240503-0003

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://security.netapp.com/advisory/ntap-20240503-0003/

fixed_packages

url pkg:gem/actionpack@7.1.3.1

purl pkg:gem/actionpack@7.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1

aliases CVE-2024-26142, GHSA-jjhx-jhvp-74wq

risk_score 2.6

exploitability 0.5

weighted_severity 5.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n798-maqx-y3c9

url VCID-nhny-abkr-6qhb

vulnerability_id VCID-nhny-abkr-6qhb

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_id

reference_type

scores

value	0.01304
scoring_system	epss
scoring_elements	0.80125
published_at	2026-06-05T12:55:00Z

value	0.01304
scoring_system	epss
scoring_elements	0.80099
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id	2164799
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_id

CVE-2023-22795

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_url	https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id	GHSA-8xww-x3g3-6jcv
reference_type
scores
url	https://github.com/advisories/GHSA-8xww-x3g3-6jcv

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/actionpack@6.1.7.1

purl pkg:gem/actionpack@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1

url pkg:gem/actionpack@7.0.4.1

purl pkg:gem/actionpack@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1

aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhny-abkr-6qhb

url VCID-nprk-kfvh-vqfh

vulnerability_id VCID-nprk-kfvh-vqfh

summary

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter
filtering routines of Action Dispatch. This vulnerability has
been assigned the CVE identifier CVE-2024-41128.

## Impact

Carefully crafted query parameters can cause query parameter
filtering to take an unexpected amount of time, possibly resulting
in a DoS vulnerability. All users running an affected release
should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications
using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
on Ruby 3.2 or greater so is unaffected.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Users on Ruby 3.2 are unaffected by this issue.

## Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-41128

reference_id

reference_type

scores

value	0.00557
scoring_system	epss
scoring_elements	0.68591
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-41128

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2319036

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2319036

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

reference_url

https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

reference_url

https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

reference_url

https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

reference_url

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id	1085376
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376

reference_url

https://access.redhat.com/security/cve/cve-2024-41128

reference_id

CVE-2024-41128

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://access.redhat.com/security/cve/cve-2024-41128

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-41128

reference_id

CVE-2024-41128

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-41128

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

reference_id

CVE-2024-41128.YML

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

reference_url

https://github.com/advisories/GHSA-x76w-6vjr-8xgj

reference_id

GHSA-x76w-6vjr-8xgj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x76w-6vjr-8xgj

reference_url	https://usn.ubuntu.com/7290-1/
reference_id	USN-7290-1
reference_type
scores
url	https://usn.ubuntu.com/7290-1/

fixed_packages

url pkg:gem/actionpack@6.1.7.9

purl pkg:gem/actionpack@6.1.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.8.5

purl pkg:gem/actionpack@7.0.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.4.1

purl pkg:gem/actionpack@7.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.1.1

purl pkg:gem/actionpack@7.2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nprk-kfvh-vqfh

url VCID-qe2s-6tzh-cqfv

vulnerability_id VCID-qe2s-6tzh-cqfv

summary open redirect

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22942

reference_id

reference_type

scores

value	0.00533
scoring_system	epss
scoring_elements	0.67727
published_at	2026-06-04T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67768
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c

reference_url

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0005

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0005

reference_url

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released

reference_url	https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
reference_id
reference_type
scores
url	https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1995940
reference_id	1995940
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1995940

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
reference_id	992586
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586

reference_url

https://security.archlinux.org/AVG-2492

reference_id

AVG-2492

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2492

reference_url

https://security.archlinux.org/AVG-2493

reference_id

AVG-2493

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2493

reference_url

https://access.redhat.com/security/cve/cve-2021-22942

reference_id

CVE-2021-22942

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/cve-2021-22942

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22942

reference_id

CVE-2021-22942

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22942

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml

reference_id

CVE-2021-22942.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml

reference_url	https://github.com/advisories/GHSA-2rqw-v265-jf8c
reference_id	GHSA-2rqw-v265-jf8c
reference_type
scores
url	https://github.com/advisories/GHSA-2rqw-v265-jf8c

fixed_packages

url pkg:gem/actionpack@6.0.4.1

purl pkg:gem/actionpack@6.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.1

url pkg:gem/actionpack@6.1.4.1

purl pkg:gem/actionpack@6.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.1

aliases CVE-2021-22942, GHSA-2rqw-v265-jf8c

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qe2s-6tzh-cqfv

url VCID-rpen-b1gf-9kh8

vulnerability_id VCID-rpen-b1gf-9kh8

summary

Duplicate
This advisory duplicates another.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-22577

reference_id

reference_type

scores

value	0.00495
scoring_system	epss
scoring_elements	0.66119
published_at	2026-06-04T12:55:00Z

value	0.00495
scoring_system	epss
scoring_elements	0.66171
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec

reference_url

https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508

reference_url

https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b

reference_url

https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809

reference_url

https://github.com/rails/rails/pull/44635

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/pull/44635

reference_url

https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20221118-0002

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20221118-0002

reference_url	https://security.netapp.com/advisory/ntap-20221118-0002/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20221118-0002/

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-22577

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
reference_id	1011941
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2080302
reference_id	2080302
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2080302

reference_url

reference_id

CVE-2022-22577

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-22577

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml

reference_id

CVE-2022-22577.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml

reference_url

https://github.com/advisories/GHSA-mm33-5vfq-3mm3

reference_id

GHSA-mm33-5vfq-3mm3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mm33-5vfq-3mm3

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/actionpack@6.0.4.8

purl pkg:gem/actionpack@6.0.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8

url pkg:gem/actionpack@6.1.5.1

purl pkg:gem/actionpack@6.1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1

url pkg:gem/actionpack@7.0.2.4

purl pkg:gem/actionpack@7.0.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4

aliases CVE-2022-22577, GHSA-mm33-5vfq-3mm3, GMS-2022-1137

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rpen-b1gf-9kh8

url VCID-sw7t-5s3e-vkhx

vulnerability_id VCID-sw7t-5s3e-vkhx

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_id

reference_type

scores

value	0.02264
scoring_system	epss
scoring_elements	0.84957
published_at	2026-06-05T12:55:00Z

value	0.02264
scoring_system	epss
scoring_elements	0.84933
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id	2164800
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800

reference_url

reference_id

CVE-2023-22792

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url	https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id	GHSA-p84v-45xj-wwqj
reference_type
scores
url	https://github.com/advisories/GHSA-p84v-45xj-wwqj

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_id

ntap-20240202-0007

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/actionpack@6.1.7.1

purl pkg:gem/actionpack@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1

url pkg:gem/actionpack@7.0.4.1

purl pkg:gem/actionpack@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1

aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sw7t-5s3e-vkhx

url VCID-tctm-uptk-1kcx

vulnerability_id VCID-tctm-uptk-1kcx

summary

Possible Open Redirect in Host Authorization Middleware
There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack. This vulnerability has been assigned the CVE
identifier CVE-2021-22881.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.1.2.1, 6.0.3.5

Impact
------
Specially crafted "Host" headers in combination with certain "allowed host"
formats can cause the Host Authorization middleware in Action Pack to redirect
users to a malicious website.

Impacted applications will have allowed hosts with a leading dot.  For
example, configuration files that look like this:

```
config.hosts <<  '.tkte.ch'
```

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

```ruby
module ActionDispatch
  class HostAuthorization
    private
      def authorized?(request)
        valid_host = /
          \A
          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
          (:\d+)?
          \z
        /x

        origin_host = valid_host.match(
          request.get_header("HTTP_HOST").to_s.downcase)
        forwarded_host = valid_host.match(
          request.x_forwarded_host.to_s.split(/,\s?/).last)

        origin_host && @permissions.allows?(origin_host[:host]) && (
          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
      end
  end
end
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22881

reference_id

reference_type

scores

value	0.15453
scoring_system	epss
scoring_elements	0.94791
published_at	2026-06-05T12:55:00Z

value	0.15453
scoring_system	epss
scoring_elements	0.94782
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22881

reference_url

https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md

reference_url

https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E

reference_url

https://hackerone.com/reports/1047447

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1047447

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/05/05/2

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/05/05/2

reference_url

http://www.openwall.com/lists/oss-security/2021/08/20/1

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/08/20/1

reference_url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1930211
reference_id	1930211
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1930211

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22881

reference_id

CVE-2021-22881

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22881

fixed_packages

url pkg:gem/actionpack@6.0.3.5

purl pkg:gem/actionpack@6.0.3.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.5

url pkg:gem/actionpack@6.1.2.1

purl pkg:gem/actionpack@6.1.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.2.1

aliases CVE-2021-22881, GHSA-8877-prq4-9xfw

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tctm-uptk-1kcx

url VCID-ufrj-jn16-jybn

vulnerability_id VCID-ufrj-jn16-jybn

summary

Rails has a possible XSS vulnerability in its Action Pack debug exceptions
### Impact
The debug exceptions page does not properly escape exception messages.
A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.
This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`),
which is the default in development.

### Releases
The fixed releases are available at the normal locations.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33167

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06303
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0

reference_url

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/

url

https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0

reference_url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/

url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_url

https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/

url

https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33167

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33167

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450552
reference_id	2450552
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450552

reference_url	https://github.com/advisories/GHSA-pgm4-439c-5jp6
reference_id	GHSA-pgm4-439c-5jp6
reference_type
scores
url	https://github.com/advisories/GHSA-pgm4-439c-5jp6

fixed_packages

url	pkg:gem/actionpack@8.1.2.1
purl	pkg:gem/actionpack@8.1.2.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.1.2.1

aliases CVE-2026-33167, GHSA-pgm4-439c-5jp6

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ufrj-jn16-jybn

url VCID-ugdk-t2vk-nkfc

vulnerability_id VCID-ugdk-t2vk-nkfc

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22904

reference_id

reference_type

scores

value	0.03338
scoring_system	epss
scoring_elements	0.87543
published_at	2026-06-05T12:55:00Z

value	0.03338
scoring_system	epss
scoring_elements	0.87521
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22904

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v5.2.4.6

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v5.2.4.6

reference_url

https://github.com/rails/rails/releases/tag/v5.2.6

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v5.2.6

reference_url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

reference_url

https://hackerone.com/reports/1101125

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1101125

reference_url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_url	https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210805-0009/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1961379
reference_id	1961379
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1961379

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id	988214
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214

reference_url

reference_id

AVG-1920

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-1921

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2090

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2223

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22904

reference_url

reference_id

CVE-2021-22904

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22904

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

fixed_packages

url pkg:gem/actionpack@6.0.3.7

purl pkg:gem/actionpack@6.0.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7

url pkg:gem/actionpack@6.1.3.2

purl pkg:gem/actionpack@6.1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2

aliases CVE-2021-22904, GHSA-7wjx-3g7j-8584

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ugdk-t2vk-nkfc

url VCID-uhm1-xeqs-auec

vulnerability_id VCID-uhm1-xeqs-auec

summary

URL Redirection to Untrusted Site ('Open Redirect')
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-44528

reference_id

reference_type

scores

value	0.28611
scoring_system	epss
scoring_elements	0.96624
published_at	2026-06-05T12:55:00Z

value	0.28611
scoring_system	epss
scoring_elements	0.9662
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021

reference_url

https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815

reference_url

https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ

reference_url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer

reference_url

https://security.netapp.com/advisory/ntap-20240208-0003

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240208-0003

reference_url	https://security.netapp.com/advisory/ntap-20240208-0003/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240208-0003/

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-44528

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817
reference_id	1001817
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2034266
reference_id	2034266
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2034266

reference_url

reference_id

CVE-2021-44528

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-44528

reference_url

https://github.com/advisories/GHSA-qphc-hf5q-v8fc

reference_id

GHSA-qphc-hf5q-v8fc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qphc-hf5q-v8fc

fixed_packages

url pkg:gem/actionpack@6.0.4.2

purl pkg:gem/actionpack@6.0.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.2

url pkg:gem/actionpack@6.1.0.rc1

purl pkg:gem/actionpack@6.1.0.rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.0.rc1

url pkg:gem/actionpack@6.1.4.2

purl pkg:gem/actionpack@6.1.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.2

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

aliases CVE-2021-44528, GHSA-qphc-hf5q-v8fc

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uhm1-xeqs-auec

url VCID-uusn-n8vk-2bcm

vulnerability_id VCID-uusn-n8vk-2bcm

summary

Possible XSS Vulnerability in Action Pack in Development Mode
There is a possible XSS vulnerability in Action Pack while the application
server is in development mode.  This vulnerability is in the Actionable
Exceptions middleware.  This vulnerability has been assigned the CVE
identifier CVE-2020-8264.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.0.3.4

Impact
------
When an application is running in development mode, and attacker can send or
embed (in another page) a specially crafted URL which can allow the attacker
to execute JavaScript in the context of the local application.

Workarounds
-----------
Until such time as the patch can be applied, application developers should
disable the Actionable Exceptions middleware in their development environment via
a line such as this one in their config/environment/development.rb:

`config.middleware.delete ActionDispatch::ActionableExceptions`

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8264

reference_id

reference_type

scores

value	0.0205
scoring_system	epss
scoring_elements	0.84211
published_at	2026-06-05T12:55:00Z

value	0.0205
scoring_system	epss
scoring_elements	0.84187
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8264

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk

reference_url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ

reference_url

https://hackerone.com/reports/904059

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/904059

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1886554
reference_id	1886554
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1886554

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988
reference_id	971988
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8264

reference_id

CVE-2020-8264

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8264

fixed_packages

url pkg:gem/actionpack@6.0.3.4

purl pkg:gem/actionpack@6.0.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.4

aliases CVE-2020-8264, GHSA-35mm-cc6r-8fjp

risk_score 3.5

exploitability 0.5

weighted_severity 6.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uusn-n8vk-2bcm

url VCID-v3vg-9jdz-guf5

vulnerability_id VCID-v3vg-9jdz-guf5

summary

Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability
in the `content_security_policy` helper in Action Pack.

## Impact

Applications which set Content-Security-Policy (CSP) headers
dynamically from untrusted user input may be vulnerable to
carefully crafted inputs being able to inject new directives
into the CSP. This could lead to a bypass of the CSP and its
protection against XSS and other attacks.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Applications can avoid setting CSP headers dynamically from
untrusted input, or can validate/sanitize that input.

## Credits

Thanks to [ryotak](https://hackerone.com/ryotak) for the report!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-54133

reference_id

reference_type

scores

value	0.0019
scoring_system	epss
scoring_elements	0.40724
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-54133

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133

reference_url

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url