Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
Typedeb
Namespacedebian
Namerails
Version2:7.2.2.1+dfsg-1
Qualifiers
distro trixie
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version2:7.2.2.2+dfsg-1
Latest_non_vulnerable_version2:7.2.3.1+dfsg-1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-1g4f-hrwm-q3gh
vulnerability_id VCID-1g4f-hrwm-q3gh
summary 
Possible ReDoS vulnerability in block_format in Action Mailer
There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact
------

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2

Credits
-------

Thanks to yuki_osaki for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47889
reference_id
reference_type
scores
0
value 0.00326
scoring_system epss
scoring_elements 0.55793
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47889
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
7
reference_url https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
reference_id 0e5694f4d32544532d2301a9b4084eacb6986e94
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319033
reference_id 2319033
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319033
10
reference_url https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
reference_id 3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
11
reference_url https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
reference_id 985f1923fa62806ff676e41de67c3b4552131ab9
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
12
reference_url https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
reference_id be898cc996986decfe238341d96b2a6573b8fd2e
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
13
reference_url https://github.com/advisories/GHSA-h47h-mwp9-c6q6
reference_id GHSA-h47h-mwp9-c6q6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h47h-mwp9-c6q6
14
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-47889, GHSA-h47h-mwp9-c6q6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1g4f-hrwm-q3gh
1
url VCID-6k4p-91ka-juh5
vulnerability_id VCID-6k4p-91ka-juh5
summary 
Rails has possible Sensitive Session Information Leak in Active Storage
# Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.  By
default, Active Storage sends a `Set-Cookie` header along with the user's
session cookie when serving blobs.  It also sets `Cache-Control` to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected:  >= 5.2.0, < 7.1.0
Not affected:       < 5.2.0, > 7.1.0
Fixed Versions:     7.0.8.1, 6.1.7.7

Impact
------
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Credits
-------

Thanks to [tyage](https://hackerone.com/tyage) for reporting this!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26144
reference_id
reference_type
scores
0
value 0.04252
scoring_system epss
scoring_elements 0.88981
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26144
2
reference_url https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
6
reference_url https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
7
reference_url https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26144
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26144
11
reference_url https://security.netapp.com/advisory/ntap-20240510-0013
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240510-0013
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119
reference_id 1065119
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2266063
reference_id 2266063
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2266063
14
reference_url https://github.com/advisories/GHSA-8h22-8cf7-hq6g
reference_id GHSA-8h22-8cf7-hq6g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8h22-8cf7-hq6g
15
reference_url https://security.netapp.com/advisory/ntap-20240510-0013/
reference_id ntap-20240510-0013
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://security.netapp.com/advisory/ntap-20240510-0013/
16
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-26144, GHSA-8h22-8cf7-hq6g
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6k4p-91ka-juh5
2
url VCID-b7z5-h1bw-tya9
vulnerability_id VCID-b7z5-h1bw-tya9
summary 
Missing security headers in Action Pack on non-HTML responses
# Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.


Versions Affected:  >= 6.1.0
Not affected:       < 6.1.0
Fixed Versions:     6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact
------
Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
N/A

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our 
[maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues)
regarding security issues. They are in git-am format and consist of a
single changeset.

* 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
* 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
* 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series



Credits
-------

Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28103
reference_id
reference_type
scores
0
value 0.00832
scoring_system epss
scoring_elements 0.74889
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28103
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/
url https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/
url https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28103
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28103
8
reference_url https://security.netapp.com/advisory/ntap-20241206-0002
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241206-0002
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705
reference_id 1072705
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2290530
reference_id 2290530
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2290530
11
reference_url https://github.com/advisories/GHSA-fwhr-88qx-h9g7
reference_id GHSA-fwhr-88qx-h9g7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fwhr-88qx-h9g7
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-28103, GHSA-fwhr-88qx-h9g7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b7z5-h1bw-tya9
3
url VCID-dd87-gevs-juhe
vulnerability_id VCID-dd87-gevs-juhe
summary 
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact
------

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
1
reference_url https://access.redhat.com/security/cve/cve-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://access.redhat.com/security/cve/cve-2024-41128
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
reference_id
reference_type
scores
0
value 0.00774
scoring_system epss
scoring_elements 0.73902
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
8
reference_url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
9
reference_url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
10
reference_url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
15
reference_url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
reference_id GHSA-x76w-6vjr-8xgj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
16
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dd87-gevs-juhe
4
url VCID-eeru-6pyc-8bcd
vulnerability_id VCID-eeru-6pyc-8bcd
summary 
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact
------

For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
reference_id
reference_type
scores
0
value 0.00333
scoring_system epss
scoring_elements 0.56344
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id 2319034
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
9
reference_url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
reference_id 56b2fc3302836405b496e196a8d5fc0195e55049
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
10
reference_url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
reference_id 7c1398854d51f9bb193fb79f226647351133d08a
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
11
reference_url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_id 8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
12
reference_url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_id f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
13
reference_url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
reference_id GHSA-vfg9-r3fq-jvx4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
14
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eeru-6pyc-8bcd
5
url VCID-m9ud-s6w6-x7ac
vulnerability_id VCID-m9ud-s6w6-x7ac
summary actionpack: Possible XSS via User Supplied Values to redirect_to
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
reference_id
reference_type
scores
0
value 0.00225
scoring_system epss
scoring_elements 0.45261
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
7
reference_url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
8
reference_url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
11
reference_url https://security.netapp.com/advisory/ntap-20250502-0009
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250502-0009
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id 1051058
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id 2217785
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
14
reference_url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
reference_id GHSA-4g8v-vg43-wpgf
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
15
reference_url https://access.redhat.com/errata/RHSA-2023:7851
reference_id RHSA-2023:7851
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7851
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m9ud-s6w6-x7ac
6
url VCID-nyer-au8u-f7h6
vulnerability_id VCID-nyer-au8u-f7h6
summary 
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact
------

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2

Credits
-------

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47888
reference_id
reference_type
scores
0
value 0.00476
scoring_system epss
scoring_elements 0.65157
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47888
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319035
reference_id 2319035
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319035
9
reference_url https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
reference_id 4f4312b21a6448336de7c7ab0c4d94b378def468
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
10
reference_url https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
reference_id 727b0946c3cab04b825c039435eac963d4e91822
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
11
reference_url https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
reference_id ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
12
reference_url https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
reference_id de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
13
reference_url https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
reference_id GHSA-wwhv-wxv9-rpgw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
14
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-47888, GHSA-wwhv-wxv9-rpgw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nyer-au8u-f7h6
7
url VCID-qth9-abgp-wyaq
vulnerability_id VCID-qth9-abgp-wyaq
summary 
Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.

Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
reference_id
reference_type
scores
0
value 0.0019
scoring_system epss
scoring_elements 0.40653
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
5
reference_url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
6
reference_url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
7
reference_url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
11
reference_url https://security.netapp.com/advisory/ntap-20250306-0010
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0010
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
reference_id 1089755
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
reference_id 2331619
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-54133, GHSA-vfm5-rmrh-j26v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qth9-abgp-wyaq
8
url VCID-zpzn-dbk4-juae
vulnerability_id VCID-zpzn-dbk4-juae
summary 
Active Support Possibly Discloses Locally Encrypted Files
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

# Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Releases
The fixed releases are available at the normal locations.

# Workarounds
To work around this issue, you can set your umask to be more restrictive like this:

```ruby
$ umask 0077
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38037
reference_id
reference_type
scores
0
value 0.00072
scoring_system epss
scoring_elements 0.22043
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38037
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:35:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
6
reference_url https://github.com/rails/rails/releases/tag/v7.0.7.1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.7.1
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38037
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-38037
9
reference_url https://security.netapp.com/advisory/ntap-20250214-0010
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250214-0010
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
reference_id 1051057
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2236261
reference_id 2236261
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2236261
12
reference_url https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
reference_id GHSA-cr5q-6q9f-rq6q
reference_type
scores
url https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
13
reference_url https://access.redhat.com/errata/RHSA-2023:7720
reference_id RHSA-2023:7720
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7720
14
reference_url https://access.redhat.com/errata/RHSA-2024:0268
reference_id RHSA-2024:0268
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0268
15
reference_url https://access.redhat.com/errata/RHSA-2024:2010
reference_id RHSA-2024:2010
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2010
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-38037, GHSA-cr5q-6q9f-rq6q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zpzn-dbk4-juae
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie