Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/actionpack@6.0.4.1

Type gem

Namespace

Name actionpack

Version 6.0.4.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 8.1.2.1

Latest_non_vulnerable_version 8.1.2.1

Affected_by_vulnerabilities

url VCID-2fra-ffky-97ce

vulnerability_id VCID-2fra-ffky-97ce

summary

Exposure of information in Action Pack
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23633

reference_id

reference_type

scores

value	0.00187
scoring_system	epss
scoring_elements	0.4034
published_at	2026-06-04T12:55:00Z

value	0.00187
scoring_system	epss
scoring_elements	0.4042
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_url	https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240119-0013/

reference_url

https://www.debian.org/security/2023/dsa-5372

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5372

reference_url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id	1005389
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id	2063149
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_id

CVE-2022-23633

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_url	https://access.redhat.com/errata/RHSA-2022:5498
reference_id	RHSA-2022:5498
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5498

fixed_packages

url pkg:gem/actionpack@6.0.4.6

purl pkg:gem/actionpack@6.0.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.6

url pkg:gem/actionpack@6.1.0.rc1

purl pkg:gem/actionpack@6.1.0.rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.0.rc1

url pkg:gem/actionpack@6.1.4.6

purl pkg:gem/actionpack@6.1.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.6

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.2.2

purl pkg:gem/actionpack@7.0.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.2

aliases CVE-2022-23633, GHSA-wh98-p28r-vrc9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2fra-ffky-97ce

url VCID-37qm-tp8v-tugb

vulnerability_id VCID-37qm-tp8v-tugb

summary

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's
HTTP Token authentication. This vulnerability has been assigned
the CVE identifier CVE-2024-47887.

## Impact

For applications using HTTP Token authentication via
`authenticate_or_request_with_http_token` or similar, a carefully
crafted header may cause header parsing to take an unexpected amount
of time, possibly resulting in a DoS vulnerability. All users running
an affected release should either upgrade or apply the relevant
patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications
using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
on Ruby 3.2 or greater so is unaffected.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Users on Ruby 3.2 are unaffected by this issue.

## Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-47887

reference_id

reference_type

scores

value	0.00273
scoring_system	epss
scoring_elements	0.5093
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-47887

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id	1085376
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id	2319034
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2319034

reference_url

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

reference_id

56b2fc3302836405b496e196a8d5fc0195e55049

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

reference_url

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

reference_id

7c1398854d51f9bb193fb79f226647351133d08a

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

reference_url

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_id

8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-47887
reference_id	CVE-2024-47887
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-47887

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml

reference_id

CVE-2024-47887.YML

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml

reference_url

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_id

f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_url

https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

reference_id

GHSA-vfg9-r3fq-jvx4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

reference_url	https://usn.ubuntu.com/7290-1/
reference_id	USN-7290-1
reference_type
scores
url	https://usn.ubuntu.com/7290-1/

fixed_packages

url pkg:gem/actionpack@6.1.7.9

purl pkg:gem/actionpack@6.1.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.8.5

purl pkg:gem/actionpack@7.0.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.4.1

purl pkg:gem/actionpack@7.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.1.1

purl pkg:gem/actionpack@7.2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-37qm-tp8v-tugb

url VCID-4uv1-e1me-hqb3

vulnerability_id VCID-4uv1-e1me-hqb3

summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-27777

reference_id

reference_type

scores

value	0.01409
scoring_system	epss
scoring_elements	0.80853
published_at	2026-06-05T12:55:00Z

value	0.01409
scoring_system	epss
scoring_elements	0.80827
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

reference_url

https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_url

https://www.debian.org/security/2023/dsa-5372

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5372

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
reference_id	1016982
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2080296
reference_id	2080296
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2080296

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-27777

reference_id

CVE-2022-27777

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-27777

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml

reference_id

CVE-2022-27777.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml

reference_url

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

reference_id

GHSA-ch3h-j2vf-95pv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/actionpack@6.0.4.8

purl pkg:gem/actionpack@6.0.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8

url pkg:gem/actionpack@6.1.5.1

purl pkg:gem/actionpack@6.1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1

url pkg:gem/actionpack@7.0.2.4

purl pkg:gem/actionpack@7.0.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4

aliases CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4uv1-e1me-hqb3

url VCID-bfqq-ypyw-dycj

vulnerability_id VCID-bfqq-ypyw-dycj

summary

Rails has possible XSS Vulnerability in Action Controller
# Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(`translate`, `t`, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected:  >= 7.0.0.
Not affected:       < 7.0.0
Fixed Versions:     7.1.3.1, 7.0.8.1

Impact
------
Applications using translation methods like `translate`, or `t` on a
controller, with a key ending in "_html", a `:default` key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

```ruby
class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end
```

To reiterate the pre-conditions, applications must:

* Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from
  a view)
* Use a key that ends in `_html`
* Use a default value where the default value is untrusted and unescaped input
* Send the text to the victim (whether that's part of a template, or a
  `render` call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

*  7-0-translate-xss.patch - Patch for 7.0 series
*  7-1-translate-xss.patch - Patch for 7.1 series

Credits
-------

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json

reference_id

reference_type

scores

value	4.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26143

reference_id

reference_type

scores

value	0.02067
scoring_system	epss
scoring_elements	0.84271
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26143

reference_url

https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc

reference_url

https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e

reference_url

https://security.netapp.com/advisory/ntap-20240510-0004

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240510-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2266388
reference_id	2266388
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2266388

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26143

reference_id

CVE-2024-26143

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26143

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml

reference_id

CVE-2024-26143.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml

reference_url

https://github.com/advisories/GHSA-9822-6m93-xqf4

reference_id

GHSA-9822-6m93-xqf4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9822-6m93-xqf4

reference_url

https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4

reference_id

GHSA-9822-6m93-xqf4

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4

reference_url

https://security.netapp.com/advisory/ntap-20240510-0004/

reference_id

ntap-20240510-0004

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/

url

https://security.netapp.com/advisory/ntap-20240510-0004/

fixed_packages

url pkg:gem/actionpack@7.0.8.1

purl pkg:gem/actionpack@7.0.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.1

url pkg:gem/actionpack@7.1.3.1

purl pkg:gem/actionpack@7.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1

aliases CVE-2024-26143, GHSA-9822-6m93-xqf4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bfqq-ypyw-dycj

url VCID-egdx-4qqa-guh1

vulnerability_id VCID-egdx-4qqa-guh1

summary

Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-28362

reference_id

reference_type

scores

value	0.00207
scoring_system	epss
scoring_elements	0.43036
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-28362

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362

reference_url

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3
scoring_elements

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

reference_url

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

reference_url

https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23

reference_url

https://security.netapp.com/advisory/ntap-20250502-0009

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250502-0009

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id	1051058
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id	2217785
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2217785

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-28362

reference_id

CVE-2023-28362

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-28362

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

reference_id

CVE-2023-28362.YML

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

reference_url

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

reference_id

GHSA-4g8v-vg43-wpgf

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

reference_url	https://access.redhat.com/errata/RHSA-2023:7851
reference_id	RHSA-2023:7851
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7851

fixed_packages

url pkg:gem/actionpack@6.1.7.4

purl pkg:gem/actionpack@6.1.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.4

url pkg:gem/actionpack@7.0.5.1

purl pkg:gem/actionpack@7.0.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.5.1

aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-egdx-4qqa-guh1

url VCID-n798-maqx-y3c9

vulnerability_id VCID-n798-maqx-y3c9

summary

Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected:  >= 7.1.0, < 7.1.3.1
Not affected:       < 7.1.0
Fixed Versions:     7.1.3.1

Impact
------
Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability.  All users running an affected release should either upgrade or
use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 7-1-accept-redox.patch - Patch for 7.1 series

Credits
-------
Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26142

reference_id

reference_type

scores

value	0.03542
scoring_system	epss
scoring_elements	0.87908
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26142

reference_url

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2266324
reference_id	2266324
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2266324

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

reference_id

CVE-2024-26142

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

reference_id

CVE-2024-26142.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

reference_url

https://github.com/advisories/GHSA-jjhx-jhvp-74wq

reference_id

GHSA-jjhx-jhvp-74wq

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jjhx-jhvp-74wq

reference_url

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

reference_id

GHSA-jjhx-jhvp-74wq

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

reference_url

https://security.netapp.com/advisory/ntap-20240503-0003/

reference_id

ntap-20240503-0003

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://security.netapp.com/advisory/ntap-20240503-0003/

fixed_packages

url pkg:gem/actionpack@7.1.3.1

purl pkg:gem/actionpack@7.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1

aliases CVE-2024-26142, GHSA-jjhx-jhvp-74wq

risk_score 2.6

exploitability 0.5

weighted_severity 5.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n798-maqx-y3c9

url VCID-nhny-abkr-6qhb

vulnerability_id VCID-nhny-abkr-6qhb

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_id

reference_type

scores

value	0.01304
scoring_system	epss
scoring_elements	0.80125
published_at	2026-06-05T12:55:00Z

value	0.01304
scoring_system	epss
scoring_elements	0.80099
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id	2164799
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_id

CVE-2023-22795

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_url	https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id	GHSA-8xww-x3g3-6jcv
reference_type
scores
url	https://github.com/advisories/GHSA-8xww-x3g3-6jcv

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/actionpack@6.1.7.1

purl pkg:gem/actionpack@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1

url pkg:gem/actionpack@7.0.4.1

purl pkg:gem/actionpack@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1

aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhny-abkr-6qhb

url VCID-nprk-kfvh-vqfh

vulnerability_id VCID-nprk-kfvh-vqfh

summary

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter
filtering routines of Action Dispatch. This vulnerability has
been assigned the CVE identifier CVE-2024-41128.

## Impact

Carefully crafted query parameters can cause query parameter
filtering to take an unexpected amount of time, possibly resulting
in a DoS vulnerability. All users running an affected release
should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications
using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
on Ruby 3.2 or greater so is unaffected.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Users on Ruby 3.2 are unaffected by this issue.

## Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-41128

reference_id

reference_type

scores

value	0.00557
scoring_system	epss
scoring_elements	0.68591
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-41128

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2319036

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2319036

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

reference_url

https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

reference_url

https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

reference_url

https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

reference_url

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id	1085376
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376

reference_url

https://access.redhat.com/security/cve/cve-2024-41128

reference_id

CVE-2024-41128

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://access.redhat.com/security/cve/cve-2024-41128

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-41128

reference_id

CVE-2024-41128

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-41128

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

reference_id

CVE-2024-41128.YML

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

reference_url

https://github.com/advisories/GHSA-x76w-6vjr-8xgj

reference_id

GHSA-x76w-6vjr-8xgj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x76w-6vjr-8xgj

reference_url	https://usn.ubuntu.com/7290-1/
reference_id	USN-7290-1
reference_type
scores
url	https://usn.ubuntu.com/7290-1/

fixed_packages

url pkg:gem/actionpack@6.1.7.9

purl pkg:gem/actionpack@6.1.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.8.5

purl pkg:gem/actionpack@7.0.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.4.1

purl pkg:gem/actionpack@7.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.1.1

purl pkg:gem/actionpack@7.2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nprk-kfvh-vqfh

url VCID-rpen-b1gf-9kh8

vulnerability_id VCID-rpen-b1gf-9kh8

summary

Duplicate
This advisory duplicates another.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-22577

reference_id

reference_type

scores

value	0.00495
scoring_system	epss
scoring_elements	0.66119
published_at	2026-06-04T12:55:00Z

value	0.00495
scoring_system	epss
scoring_elements	0.66171
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec

reference_url

https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508

reference_url

https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b

reference_url

https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809

reference_url

https://github.com/rails/rails/pull/44635

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/pull/44635

reference_url

https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20221118-0002

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20221118-0002

reference_url	https://security.netapp.com/advisory/ntap-20221118-0002/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20221118-0002/

reference_url

https://www.debian.org/security/2023/dsa-5372

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5372

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
reference_id	1011941
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2080302
reference_id	2080302
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2080302

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-22577

reference_id

CVE-2022-22577

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-22577

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml

reference_id

CVE-2022-22577.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml

reference_url

https://github.com/advisories/GHSA-mm33-5vfq-3mm3

reference_id

GHSA-mm33-5vfq-3mm3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mm33-5vfq-3mm3

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/actionpack@6.0.4.8

purl pkg:gem/actionpack@6.0.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8

url pkg:gem/actionpack@6.1.5.1

purl pkg:gem/actionpack@6.1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1

url pkg:gem/actionpack@7.0.2.4

purl pkg:gem/actionpack@7.0.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4

aliases CVE-2022-22577, GHSA-mm33-5vfq-3mm3, GMS-2022-1137

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rpen-b1gf-9kh8

url VCID-sw7t-5s3e-vkhx

vulnerability_id VCID-sw7t-5s3e-vkhx

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_id

reference_type

scores

value	0.02264
scoring_system	epss
scoring_elements	0.84957
published_at	2026-06-05T12:55:00Z

value	0.02264
scoring_system	epss
scoring_elements	0.84933
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_url

https://www.debian.org/security/2023/dsa-5372

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://www.debian.org/security/2023/dsa-5372

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id	2164800
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_id

CVE-2023-22792

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url	https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id	GHSA-p84v-45xj-wwqj
reference_type
scores
url	https://github.com/advisories/GHSA-p84v-45xj-wwqj

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_id

ntap-20240202-0007

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/actionpack@6.1.7.1

purl pkg:gem/actionpack@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1

url pkg:gem/actionpack@7.0.4.1

purl pkg:gem/actionpack@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1

aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sw7t-5s3e-vkhx

url VCID-ufrj-jn16-jybn

vulnerability_id VCID-ufrj-jn16-jybn

summary

Rails has a possible XSS vulnerability in its Action Pack debug exceptions
### Impact
The debug exceptions page does not properly escape exception messages.
A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.
This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`),
which is the default in development.

### Releases
The fixed releases are available at the normal locations.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33167

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06303
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/

url

https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0

reference_url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/

url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_url

https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/

url

https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33167

reference_id

reference_type

scores

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33167

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450552
reference_id	2450552
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450552

reference_url	https://github.com/advisories/GHSA-pgm4-439c-5jp6
reference_id	GHSA-pgm4-439c-5jp6
reference_type
scores
url	https://github.com/advisories/GHSA-pgm4-439c-5jp6

fixed_packages

url	pkg:gem/actionpack@8.1.2.1
purl	pkg:gem/actionpack@8.1.2.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.1.2.1

aliases CVE-2026-33167, GHSA-pgm4-439c-5jp6

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ufrj-jn16-jybn

url VCID-uhm1-xeqs-auec

vulnerability_id VCID-uhm1-xeqs-auec

summary

URL Redirection to Untrusted Site ('Open Redirect')
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-44528

reference_id

reference_type

scores

value	0.28611
scoring_system	epss
scoring_elements	0.96624
published_at	2026-06-05T12:55:00Z

value	0.28611
scoring_system	epss
scoring_elements	0.9662
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021

reference_url

https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815

reference_url

https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ

reference_url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer

reference_url

https://security.netapp.com/advisory/ntap-20240208-0003

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240208-0003

reference_url	https://security.netapp.com/advisory/ntap-20240208-0003/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240208-0003/

reference_url

https://www.debian.org/security/2023/dsa-5372

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5372

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817
reference_id	1001817
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2034266
reference_id	2034266
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2034266

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-44528

reference_id

CVE-2021-44528

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-44528

reference_url

https://github.com/advisories/GHSA-qphc-hf5q-v8fc

reference_id

GHSA-qphc-hf5q-v8fc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qphc-hf5q-v8fc

fixed_packages

url pkg:gem/actionpack@6.0.4.2

purl pkg:gem/actionpack@6.0.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.2

url pkg:gem/actionpack@6.1.0.rc1

purl pkg:gem/actionpack@6.1.0.rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.0.rc1

url pkg:gem/actionpack@6.1.4.2

purl pkg:gem/actionpack@6.1.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.2

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

aliases CVE-2021-44528, GHSA-qphc-hf5q-v8fc

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uhm1-xeqs-auec

url VCID-v3vg-9jdz-guf5

vulnerability_id VCID-v3vg-9jdz-guf5

summary

Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability
in the `content_security_policy` helper in Action Pack.

## Impact

Applications which set Content-Security-Policy (CSP) headers
dynamically from untrusted user input may be vulnerable to
carefully crafted inputs being able to inject new directives
into the CSP. This could lead to a bypass of the CSP and its
protection against XSS and other attacks.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Applications can avoid setting CSP headers dynamically from
untrusted input, or can validate/sanitize that input.

## Credits

Thanks to [ryotak](https://hackerone.com/ryotak) for the report!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-54133

reference_id

reference_type

scores

value	0.0019
scoring_system	epss
scoring_elements	0.40724
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-54133

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49

reference_url

https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a

reference_url

https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542

reference_url

https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d

reference_url

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

reference_url

https://security.netapp.com/advisory/ntap-20250306-0010

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250306-0010

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
reference_id	1089755
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2331619
reference_id	2331619
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2331619

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-54133

reference_id

CVE-2024-54133

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-54133

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml

reference_id

CVE-2024-54133.YML

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml

reference_url	https://github.com/advisories/GHSA-vfm5-rmrh-j26v
reference_id	GHSA-vfm5-rmrh-j26v
reference_type
scores
url	https://github.com/advisories/GHSA-vfm5-rmrh-j26v

fixed_packages

url pkg:gem/actionpack@7.0.8.7

purl pkg:gem/actionpack@7.0.8.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.7

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.5.1

purl pkg:gem/actionpack@7.1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.5.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.2.1

purl pkg:gem/actionpack@7.2.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.2.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

url pkg:gem/actionpack@8.0.0.1

purl pkg:gem/actionpack@8.0.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ufrj-jn16-jybn

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.1

aliases CVE-2024-54133, GHSA-vfm5-rmrh-j26v

risk_score 1.9

exploitability 0.5

weighted_severity 3.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v3vg-9jdz-guf5

Fixing_vulnerabilities

url VCID-qe2s-6tzh-cqfv

vulnerability_id VCID-qe2s-6tzh-cqfv

summary open redirect

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22942

reference_id

reference_type

scores

value	0.00533
scoring_system	epss
scoring_elements	0.67727
published_at	2026-06-04T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67768
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c

reference_url

https://rubygems.org/gems/actionpack

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubygems.org/gems/actionpack

reference_url

https://security.netapp.com/advisory/ntap-20240202-0005

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0005

reference_url

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released

reference_url	https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
reference_id
reference_type
scores
url	https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/

reference_url

https://www.debian.org/security/2023/dsa-5372

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5372

reference_url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1995940
reference_id	1995940
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1995940

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
reference_id	992586
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586

reference_url

https://security.archlinux.org/AVG-2492

reference_id

AVG-2492

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2492

reference_url

https://security.archlinux.org/AVG-2493

reference_id

AVG-2493

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2493

reference_url

https://access.redhat.com/security/cve/cve-2021-22942

reference_id

CVE-2021-22942

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/cve-2021-22942

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22942

reference_id

CVE-2021-22942

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22942

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml

reference_id

CVE-2021-22942.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml

reference_url	https://github.com/advisories/GHSA-2rqw-v265-jf8c
reference_id	GHSA-2rqw-v265-jf8c
reference_type
scores
url	https://github.com/advisories/GHSA-2rqw-v265-jf8c

fixed_packages

url pkg:gem/actionpack@6.0.4.1

purl pkg:gem/actionpack@6.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.1

url pkg:gem/actionpack@6.1.4.1

purl pkg:gem/actionpack@6.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-37qm-tp8v-tugb

vulnerability	VCID-3m5y-hn64-bub8

vulnerability	VCID-4uv1-e1me-hqb3

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-egdx-4qqa-guh1

vulnerability	VCID-n798-maqx-y3c9

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-nprk-kfvh-vqfh

vulnerability	VCID-rpen-b1gf-9kh8

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ufrj-jn16-jybn

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-v3vg-9jdz-guf5

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.1

aliases CVE-2021-22942, GHSA-2rqw-v265-jf8c

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qe2s-6tzh-cqfv

Risk_score 3.4

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.1

Package Instance