Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/actionpack@5.2.6
Typegem
Namespace
Nameactionpack
Version5.2.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.0.8.7
Latest_non_vulnerable_version8.1.2.1
Affected_by_vulnerabilities
0
url VCID-63gy-6njy-kbd8
vulnerability_id VCID-63gy-6njy-kbd8
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
reference_id
reference_type
scores
0
value 0.02639
scoring_system epss
scoring_elements 0.85729
published_at 2026-04-16T12:55:00Z
1
value 0.02639
scoring_system epss
scoring_elements 0.85707
published_at 2026-04-13T12:55:00Z
2
value 0.02639
scoring_system epss
scoring_elements 0.85711
published_at 2026-04-12T12:55:00Z
3
value 0.02639
scoring_system epss
scoring_elements 0.85715
published_at 2026-04-11T12:55:00Z
4
value 0.02639
scoring_system epss
scoring_elements 0.85701
published_at 2026-04-09T12:55:00Z
5
value 0.02639
scoring_system epss
scoring_elements 0.85689
published_at 2026-04-08T12:55:00Z
6
value 0.02639
scoring_system epss
scoring_elements 0.85646
published_at 2026-04-02T12:55:00Z
7
value 0.02639
scoring_system epss
scoring_elements 0.8567
published_at 2026-04-07T12:55:00Z
8
value 0.02639
scoring_system epss
scoring_elements 0.85663
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
17
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
18
reference_url https://security.netapp.com/advisory/ntap-20240202-0007
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0007
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id 2164800
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
reference_id CVE-2023-22792
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
23
reference_url https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id GHSA-p84v-45xj-wwqj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p84v-45xj-wwqj
24
reference_url https://security.netapp.com/advisory/ntap-20240202-0007/
reference_id ntap-20240202-0007
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://security.netapp.com/advisory/ntap-20240202-0007/
25
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/actionpack@5.2.8
purl pkg:gem/actionpack@5.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-sfyc-jewr-wuf5
6
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8
1
url pkg:gem/actionpack@5.2.8.15
purl pkg:gem/actionpack@5.2.8.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8.15
2
url pkg:gem/actionpack@6.1.7.1
purl pkg:gem/actionpack@6.1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-p22r-u1dd-b7b3
6
vulnerability VCID-sfyc-jewr-wuf5
7
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1
3
url pkg:gem/actionpack@7.0.4.1
purl pkg:gem/actionpack@7.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-p22r-u1dd-b7b3
7
vulnerability VCID-sfyc-jewr-wuf5
8
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1
aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8
1
url VCID-ce39-j83r-6ug9
vulnerability_id VCID-ce39-j83r-6ug9
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-22577
reference_id
reference_type
scores
0
value 0.00287
scoring_system epss
scoring_elements 0.52201
published_at 2026-04-16T12:55:00Z
1
value 0.00287
scoring_system epss
scoring_elements 0.5216
published_at 2026-04-13T12:55:00Z
2
value 0.00287
scoring_system epss
scoring_elements 0.52175
published_at 2026-04-12T12:55:00Z
3
value 0.00287
scoring_system epss
scoring_elements 0.52192
published_at 2026-04-11T12:55:00Z
4
value 0.00287
scoring_system epss
scoring_elements 0.52141
published_at 2026-04-09T12:55:00Z
5
value 0.00287
scoring_system epss
scoring_elements 0.52145
published_at 2026-04-08T12:55:00Z
6
value 0.00287
scoring_system epss
scoring_elements 0.52091
published_at 2026-04-07T12:55:00Z
7
value 0.00287
scoring_system epss
scoring_elements 0.52099
published_at 2026-04-02T12:55:00Z
8
value 0.00287
scoring_system epss
scoring_elements 0.52126
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-22577
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
16
reference_url https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
17
reference_url https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
18
reference_url https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
19
reference_url https://github.com/rails/rails/pull/44635
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/pull/44635
20
reference_url https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
21
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
22
reference_url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
23
reference_url https://security.netapp.com/advisory/ntap-20221118-0002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221118-0002
24
reference_url https://security.netapp.com/advisory/ntap-20221118-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20221118-0002/
25
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
reference_id 1011941
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
27
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2080302
reference_id 2080302
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2080302
28
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-22577
reference_id CVE-2022-22577
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-22577
29
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
reference_id CVE-2022-22577.YML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
30
reference_url https://github.com/advisories/GHSA-mm33-5vfq-3mm3
reference_id GHSA-mm33-5vfq-3mm3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mm33-5vfq-3mm3
31
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:gem/actionpack@5.2.7.1
purl pkg:gem/actionpack@5.2.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-sfyc-jewr-wuf5
6
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.7.1
1
url pkg:gem/actionpack@6.0.4.8
purl pkg:gem/actionpack@6.0.4.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-sfyc-jewr-wuf5
6
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8
2
url pkg:gem/actionpack@6.1.5.1
purl pkg:gem/actionpack@6.1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-p22r-u1dd-b7b3
6
vulnerability VCID-sfyc-jewr-wuf5
7
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1
3
url pkg:gem/actionpack@7.0.2.4
purl pkg:gem/actionpack@7.0.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-6tty-dbwx-rbgx
3
vulnerability VCID-dd9p-x7k3-37ea
4
vulnerability VCID-ehbj-aezy-d7h4
5
vulnerability VCID-g3rk-djae-pkeh
6
vulnerability VCID-hppf-a715-r7b2
7
vulnerability VCID-p22r-u1dd-b7b3
8
vulnerability VCID-sfyc-jewr-wuf5
9
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4
aliases CVE-2022-22577, GHSA-mm33-5vfq-3mm3, GMS-2022-1137
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ce39-j83r-6ug9
2
url VCID-dd9p-x7k3-37ea
vulnerability_id VCID-dd9p-x7k3-37ea
summary 
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
reference_id
reference_type
scores
0
value 0.00224
scoring_system epss
scoring_elements 0.45215
published_at 2026-04-16T12:55:00Z
1
value 0.00224
scoring_system epss
scoring_elements 0.45164
published_at 2026-04-13T12:55:00Z
2
value 0.00224
scoring_system epss
scoring_elements 0.45162
published_at 2026-04-12T12:55:00Z
3
value 0.00224
scoring_system epss
scoring_elements 0.45194
published_at 2026-04-11T12:55:00Z
4
value 0.00224
scoring_system epss
scoring_elements 0.45174
published_at 2026-04-09T12:55:00Z
5
value 0.00224
scoring_system epss
scoring_elements 0.45173
published_at 2026-04-08T12:55:00Z
6
value 0.00224
scoring_system epss
scoring_elements 0.45177
published_at 2026-04-04T12:55:00Z
7
value 0.00224
scoring_system epss
scoring_elements 0.4512
published_at 2026-04-07T12:55:00Z
8
value 0.00224
scoring_system epss
scoring_elements 0.45155
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
7
reference_url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
8
reference_url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
9
reference_url https://security.netapp.com/advisory/ntap-20250502-0009
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250502-0009
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id 1051058
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id 2217785
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
reference_id CVE-2023-28362
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
reference_id CVE-2023-28362.YML
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
14
reference_url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
reference_id GHSA-4g8v-vg43-wpgf
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
15
reference_url https://access.redhat.com/errata/RHSA-2023:7851
reference_id RHSA-2023:7851
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7851
fixed_packages
0
url pkg:gem/actionpack@6.1.7.4
purl pkg:gem/actionpack@6.1.7.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ehbj-aezy-d7h4
1
vulnerability VCID-g3rk-djae-pkeh
2
vulnerability VCID-p22r-u1dd-b7b3
3
vulnerability VCID-sfyc-jewr-wuf5
4
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.4
1
url pkg:gem/actionpack@7.0.5.1
purl pkg:gem/actionpack@7.0.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-ehbj-aezy-d7h4
2
vulnerability VCID-g3rk-djae-pkeh
3
vulnerability VCID-p22r-u1dd-b7b3
4
vulnerability VCID-sfyc-jewr-wuf5
5
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.5.1
aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dd9p-x7k3-37ea
3
url VCID-ehbj-aezy-d7h4
vulnerability_id VCID-ehbj-aezy-d7h4
summary 
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected:  >= 7.1.0, < 7.1.3.1
Not affected:       < 7.1.0
Fixed Versions:     7.1.3.1

Impact
------
Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability.  All users running an affected release should either upgrade or
use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 7-1-accept-redox.patch - Patch for 7.1 series

Credits
-------
Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26142
reference_id
reference_type
scores
0
value 0.03542
scoring_system epss
scoring_elements 0.87692
published_at 2026-04-16T12:55:00Z
1
value 0.03542
scoring_system epss
scoring_elements 0.87677
published_at 2026-04-13T12:55:00Z
2
value 0.03542
scoring_system epss
scoring_elements 0.8768
published_at 2026-04-12T12:55:00Z
3
value 0.03542
scoring_system epss
scoring_elements 0.87685
published_at 2026-04-11T12:55:00Z
4
value 0.03542
scoring_system epss
scoring_elements 0.87632
published_at 2026-04-02T12:55:00Z
5
value 0.03542
scoring_system epss
scoring_elements 0.87647
published_at 2026-04-07T12:55:00Z
6
value 0.03542
scoring_system epss
scoring_elements 0.87645
published_at 2026-04-04T12:55:00Z
7
value 0.03542
scoring_system epss
scoring_elements 0.87674
published_at 2026-04-09T12:55:00Z
8
value 0.03542
scoring_system epss
scoring_elements 0.87667
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26142
2
reference_url https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
6
reference_url https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26142
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26142
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2266324
reference_id 2266324
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2266324
10
reference_url https://github.com/advisories/GHSA-jjhx-jhvp-74wq
reference_id GHSA-jjhx-jhvp-74wq
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jjhx-jhvp-74wq
11
reference_url https://security.netapp.com/advisory/ntap-20240503-0003/
reference_id ntap-20240503-0003
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://security.netapp.com/advisory/ntap-20240503-0003/
fixed_packages
0
url pkg:gem/actionpack@7.1.3.1
purl pkg:gem/actionpack@7.1.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-p22r-u1dd-b7b3
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1
aliases CVE-2024-26142, GHSA-jjhx-jhvp-74wq
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ehbj-aezy-d7h4
4
url VCID-g3rk-djae-pkeh
vulnerability_id VCID-g3rk-djae-pkeh
summary 
Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.

Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
reference_id
reference_type
scores
0
value 0.00122
scoring_system epss
scoring_elements 0.31424
published_at 2026-04-02T12:55:00Z
1
value 0.00122
scoring_system epss
scoring_elements 0.31466
published_at 2026-04-04T12:55:00Z
2
value 0.0019
scoring_system epss
scoring_elements 0.40871
published_at 2026-04-12T12:55:00Z
3
value 0.0019
scoring_system epss
scoring_elements 0.40906
published_at 2026-04-11T12:55:00Z
4
value 0.0019
scoring_system epss
scoring_elements 0.40834
published_at 2026-04-07T12:55:00Z
5
value 0.0019
scoring_system epss
scoring_elements 0.4089
published_at 2026-04-09T12:55:00Z
6
value 0.0019
scoring_system epss
scoring_elements 0.40883
published_at 2026-04-08T12:55:00Z
7
value 0.0019
scoring_system epss
scoring_elements 0.40895
published_at 2026-04-16T12:55:00Z
8
value 0.0019
scoring_system epss
scoring_elements 0.40852
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
5
reference_url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
6
reference_url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
7
reference_url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
11
reference_url https://security.netapp.com/advisory/ntap-20250306-0010
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0010
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
reference_id 1089755
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
reference_id 2331619
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
14
reference_url https://github.com/advisories/GHSA-vfm5-rmrh-j26v
reference_id GHSA-vfm5-rmrh-j26v
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfm5-rmrh-j26v
fixed_packages
0
url pkg:gem/actionpack@7.0.8.7
purl pkg:gem/actionpack@7.0.8.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.7
1
url pkg:gem/actionpack@7.1.0.beta1
purl pkg:gem/actionpack@7.1.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ehbj-aezy-d7h4
1
vulnerability VCID-g3rk-djae-pkeh
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1
2
url pkg:gem/actionpack@7.1.5.1
purl pkg:gem/actionpack@7.1.5.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.5.1
3
url pkg:gem/actionpack@7.2.0.beta1
purl pkg:gem/actionpack@7.2.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-p22r-u1dd-b7b3
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1
4
url pkg:gem/actionpack@7.2.2.1
purl pkg:gem/actionpack@7.2.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.2.1
5
url pkg:gem/actionpack@8.0.0.beta1
purl pkg:gem/actionpack@8.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-sfyc-jewr-wuf5
2
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1
6
url pkg:gem/actionpack@8.0.0.1
purl pkg:gem/actionpack@8.0.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.1
aliases CVE-2024-54133, GHSA-vfm5-rmrh-j26v
risk_score 1.9
exploitability 0.5
weighted_severity 3.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g3rk-djae-pkeh
5
url VCID-hppf-a715-r7b2
vulnerability_id VCID-hppf-a715-r7b2
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
reference_id
reference_type
scores
0
value 0.01523
scoring_system epss
scoring_elements 0.81303
published_at 2026-04-16T12:55:00Z
1
value 0.01523
scoring_system epss
scoring_elements 0.8121
published_at 2026-04-02T12:55:00Z
2
value 0.01523
scoring_system epss
scoring_elements 0.81234
published_at 2026-04-07T12:55:00Z
3
value 0.01523
scoring_system epss
scoring_elements 0.81262
published_at 2026-04-08T12:55:00Z
4
value 0.01523
scoring_system epss
scoring_elements 0.81267
published_at 2026-04-09T12:55:00Z
5
value 0.01523
scoring_system epss
scoring_elements 0.81288
published_at 2026-04-11T12:55:00Z
6
value 0.01523
scoring_system epss
scoring_elements 0.81274
published_at 2026-04-12T12:55:00Z
7
value 0.01523
scoring_system epss
scoring_elements 0.81266
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
16
reference_url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
17
reference_url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
18
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
19
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
21
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id 2164799
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
reference_id CVE-2023-22795
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
25
reference_url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id GHSA-8xww-x3g3-6jcv
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
26
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/actionpack@5.2.8
purl pkg:gem/actionpack@5.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-sfyc-jewr-wuf5
6
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8
1
url pkg:gem/actionpack@6.1.7.1
purl pkg:gem/actionpack@6.1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-p22r-u1dd-b7b3
6
vulnerability VCID-sfyc-jewr-wuf5
7
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1
2
url pkg:gem/actionpack@7.0.4.1
purl pkg:gem/actionpack@7.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-p22r-u1dd-b7b3
7
vulnerability VCID-sfyc-jewr-wuf5
8
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1
aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2
6
url VCID-jwun-grgg-2uet
vulnerability_id VCID-jwun-grgg-2uet
summary 
Exposure of information in Action Pack
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23633
reference_id
reference_type
scores
0
value 0.00367
scoring_system epss
scoring_elements 0.58669
published_at 2026-04-09T12:55:00Z
1
value 0.00367
scoring_system epss
scoring_elements 0.58687
published_at 2026-04-11T12:55:00Z
2
value 0.00367
scoring_system epss
scoring_elements 0.58648
published_at 2026-04-13T12:55:00Z
3
value 0.00367
scoring_system epss
scoring_elements 0.5868
published_at 2026-04-16T12:55:00Z
4
value 0.00367
scoring_system epss
scoring_elements 0.58667
published_at 2026-04-12T12:55:00Z
5
value 0.00367
scoring_system epss
scoring_elements 0.58623
published_at 2026-04-02T12:55:00Z
6
value 0.00367
scoring_system epss
scoring_elements 0.5861
published_at 2026-04-07T12:55:00Z
7
value 0.00367
scoring_system epss
scoring_elements 0.58643
published_at 2026-04-04T12:55:00Z
8
value 0.00367
scoring_system epss
scoring_elements 0.58662
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23633
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23634
reference_id
reference_type
scores
0
value 0.00441
scoring_system epss
scoring_elements 0.63267
published_at 2026-04-09T12:55:00Z
1
value 0.00441
scoring_system epss
scoring_elements 0.6327
published_at 2026-04-16T12:55:00Z
2
value 0.00441
scoring_system epss
scoring_elements 0.63233
published_at 2026-04-13T12:55:00Z
3
value 0.00441
scoring_system epss
scoring_elements 0.63269
published_at 2026-04-12T12:55:00Z
4
value 0.00441
scoring_system epss
scoring_elements 0.63284
published_at 2026-04-11T12:55:00Z
5
value 0.00441
scoring_system epss
scoring_elements 0.6325
published_at 2026-04-08T12:55:00Z
6
value 0.00441
scoring_system epss
scoring_elements 0.63198
published_at 2026-04-07T12:55:00Z
7
value 0.00453
scoring_system epss
scoring_elements 0.63789
published_at 2026-04-04T12:55:00Z
8
value 0.00453
scoring_system epss
scoring_elements 0.63763
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23634
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
16
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
17
reference_url https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
18
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
19
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
20
reference_url https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
21
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
22
reference_url https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
23
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
24
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
25
reference_url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements
1
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
26
reference_url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
27
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
28
reference_url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
29
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
30
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
31
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
32
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
33
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
34
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
35
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
36
reference_url https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
37
reference_url https://security.gentoo.org/glsa/202208-28
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-28
38
reference_url https://security.netapp.com/advisory/ntap-20240119-0013
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240119-0013
39
reference_url https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240119-0013/
40
reference_url https://www.debian.org/security/2022/dsa-5146
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2022/dsa-5146
41
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
42
reference_url http://www.openwall.com/lists/oss-security/2022/02/11/5
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2022/02/11/5
43
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id 1005389
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
44
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
reference_id 1005391
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
45
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2054211
reference_id 2054211
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2054211
46
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id 2063149
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2063149
47
reference_url https://security.archlinux.org/AVG-2764
reference_id AVG-2764
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2764
48
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23633
reference_id CVE-2022-23633
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23633
49
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23634
reference_id CVE-2022-23634
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23634
50
reference_url https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
reference_id GHSA-rmj8-8hhh-gv5h
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
51
reference_url https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
reference_id GHSA-rmj8-8hhh-gv5h
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
52
reference_url https://github.com/advisories/GHSA-wh98-p28r-vrc9
reference_id GHSA-wh98-p28r-vrc9
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-wh98-p28r-vrc9
53
reference_url https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
reference_id GHSA-wh98-p28r-vrc9
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
54
reference_url https://access.redhat.com/errata/RHSA-2022:5498
reference_id RHSA-2022:5498
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5498
55
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/actionpack@5.2.6.2
purl pkg:gem/actionpack@5.2.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-p5mc-r1rg-5ff7
7
vulnerability VCID-sfyc-jewr-wuf5
8
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6.2
1
url pkg:gem/actionpack@6.0.0.beta1
purl pkg:gem/actionpack@6.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xgz-hwng-n3eq
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-msda-xqbp-qfdd
7
vulnerability VCID-sfyc-jewr-wuf5
8
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.0.beta1
2
url pkg:gem/actionpack@6.0.4.6
purl pkg:gem/actionpack@6.0.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-p5mc-r1rg-5ff7
7
vulnerability VCID-sfyc-jewr-wuf5
8
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.6
3
url pkg:gem/actionpack@6.1.0.rc1
purl pkg:gem/actionpack@6.1.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-msda-xqbp-qfdd
6
vulnerability VCID-sfyc-jewr-wuf5
7
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.0.rc1
4
url pkg:gem/actionpack@6.1.4.6
purl pkg:gem/actionpack@6.1.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-p22r-u1dd-b7b3
7
vulnerability VCID-p5mc-r1rg-5ff7
8
vulnerability VCID-sfyc-jewr-wuf5
9
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.6
5
url pkg:gem/actionpack@7.0.0.alpha1
purl pkg:gem/actionpack@7.0.0.alpha1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ehbj-aezy-d7h4
2
vulnerability VCID-g3rk-djae-pkeh
3
vulnerability VCID-hppf-a715-r7b2
4
vulnerability VCID-sfyc-jewr-wuf5
5
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1
6
url pkg:gem/actionpack@7.0.2.2
purl pkg:gem/actionpack@7.0.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-6tty-dbwx-rbgx
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-p22r-u1dd-b7b3
9
vulnerability VCID-p5mc-r1rg-5ff7
10
vulnerability VCID-sfyc-jewr-wuf5
11
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.2
aliases CVE-2022-23633, CVE-2022-23634, GHSA-rmj8-8hhh-gv5h, GHSA-wh98-p28r-vrc9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jwun-grgg-2uet
7
url VCID-msda-xqbp-qfdd
vulnerability_id VCID-msda-xqbp-qfdd
summary 
Possible Open Redirect Vulnerability in Action Pack
There is a possible Open Redirect Vulnerability in Action Pack.

Versions Affected:  >= v6.1.0.rc2
Not affected:       < v6.1.0.rc2
Fixed Versions:     6.1.3.2

Impact
------
This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious
website.

Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch put in an initializer can be used as a workaround.

```ruby
class ActionDispatch::HostAuthorization::Permissions
  def sanitize_string(host)
    if host.start_with?(".")
      /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
    else
      /\A#{Regexp.escape host}\z/i
    end
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 6-1-open-redirect.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22903
reference_id
reference_type
scores
0
value 0.00151
scoring_system epss
scoring_elements 0.35808
published_at 2026-04-16T12:55:00Z
1
value 0.00151
scoring_system epss
scoring_elements 0.35768
published_at 2026-04-13T12:55:00Z
2
value 0.00151
scoring_system epss
scoring_elements 0.35791
published_at 2026-04-12T12:55:00Z
3
value 0.00151
scoring_system epss
scoring_elements 0.3592
published_at 2026-04-04T12:55:00Z
4
value 0.00151
scoring_system epss
scoring_elements 0.35831
published_at 2026-04-11T12:55:00Z
5
value 0.00151
scoring_system epss
scoring_elements 0.35823
published_at 2026-04-09T12:55:00Z
6
value 0.00151
scoring_system epss
scoring_elements 0.35801
published_at 2026-04-08T12:55:00Z
7
value 0.00151
scoring_system epss
scoring_elements 0.35693
published_at 2026-04-01T12:55:00Z
8
value 0.00151
scoring_system epss
scoring_elements 0.35751
published_at 2026-04-07T12:55:00Z
9
value 0.00151
scoring_system epss
scoring_elements 0.3589
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22903
2
reference_url https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
6
reference_url https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
7
reference_url https://hackerone.com/reports/1148025
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1148025
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22903
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22903
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1957438
reference_id 1957438
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1957438
10
reference_url https://security.archlinux.org/AVG-1919
reference_id AVG-1919
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1919
11
reference_url https://github.com/advisories/GHSA-5hq2-xf89-9jxq
reference_id GHSA-5hq2-xf89-9jxq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5hq2-xf89-9jxq
fixed_packages
0
url pkg:gem/actionpack@6.1.3.2
purl pkg:gem/actionpack@6.1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-p22r-u1dd-b7b3
10
vulnerability VCID-p5mc-r1rg-5ff7
11
vulnerability VCID-sfyc-jewr-wuf5
12
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2
aliases CVE-2021-22903, GHSA-5hq2-xf89-9jxq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msda-xqbp-qfdd
8
url VCID-p5mc-r1rg-5ff7
vulnerability_id VCID-p5mc-r1rg-5ff7
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-27777
reference_id
reference_type
scores
0
value 0.00911
scoring_system epss
scoring_elements 0.7586
published_at 2026-04-16T12:55:00Z
1
value 0.00911
scoring_system epss
scoring_elements 0.75823
published_at 2026-04-13T12:55:00Z
2
value 0.00911
scoring_system epss
scoring_elements 0.75829
published_at 2026-04-12T12:55:00Z
3
value 0.00911
scoring_system epss
scoring_elements 0.75848
published_at 2026-04-11T12:55:00Z
4
value 0.00911
scoring_system epss
scoring_elements 0.75824
published_at 2026-04-09T12:55:00Z
5
value 0.00911
scoring_system epss
scoring_elements 0.75812
published_at 2026-04-08T12:55:00Z
6
value 0.00911
scoring_system epss
scoring_elements 0.7578
published_at 2026-04-07T12:55:00Z
7
value 0.00911
scoring_system epss
scoring_elements 0.75801
published_at 2026-04-04T12:55:00Z
8
value 0.00911
scoring_system epss
scoring_elements 0.75768
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-27777
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
16
reference_url https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
17
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
18
reference_url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
reference_id 1016982
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2080296
reference_id 2080296
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2080296
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-27777
reference_id CVE-2022-27777
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-27777
23
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
reference_id CVE-2022-27777.YML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
24
reference_url https://github.com/advisories/GHSA-ch3h-j2vf-95pv
reference_id GHSA-ch3h-j2vf-95pv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ch3h-j2vf-95pv
25
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:gem/actionpack@5.2.7.1
purl pkg:gem/actionpack@5.2.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-sfyc-jewr-wuf5
6
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.7.1
1
url pkg:gem/actionpack@6.0.4.8
purl pkg:gem/actionpack@6.0.4.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-sfyc-jewr-wuf5
6
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8
2
url pkg:gem/actionpack@6.1.5.1
purl pkg:gem/actionpack@6.1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-dd9p-x7k3-37ea
2
vulnerability VCID-ehbj-aezy-d7h4
3
vulnerability VCID-g3rk-djae-pkeh
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-p22r-u1dd-b7b3
6
vulnerability VCID-sfyc-jewr-wuf5
7
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1
3
url pkg:gem/actionpack@7.0.2.4
purl pkg:gem/actionpack@7.0.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-6tty-dbwx-rbgx
3
vulnerability VCID-dd9p-x7k3-37ea
4
vulnerability VCID-ehbj-aezy-d7h4
5
vulnerability VCID-g3rk-djae-pkeh
6
vulnerability VCID-hppf-a715-r7b2
7
vulnerability VCID-p22r-u1dd-b7b3
8
vulnerability VCID-sfyc-jewr-wuf5
9
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4
aliases CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p5mc-r1rg-5ff7
9
url VCID-sfyc-jewr-wuf5
vulnerability_id VCID-sfyc-jewr-wuf5
summary 
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact
------

For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
reference_id
reference_type
scores
0
value 0.00296
scoring_system epss
scoring_elements 0.5297
published_at 2026-04-16T12:55:00Z
1
value 0.00296
scoring_system epss
scoring_elements 0.52876
published_at 2026-04-02T12:55:00Z
2
value 0.00296
scoring_system epss
scoring_elements 0.52932
published_at 2026-04-13T12:55:00Z
3
value 0.00296
scoring_system epss
scoring_elements 0.52948
published_at 2026-04-12T12:55:00Z
4
value 0.00296
scoring_system epss
scoring_elements 0.52964
published_at 2026-04-11T12:55:00Z
5
value 0.00296
scoring_system epss
scoring_elements 0.52914
published_at 2026-04-09T12:55:00Z
6
value 0.00296
scoring_system epss
scoring_elements 0.5292
published_at 2026-04-08T12:55:00Z
7
value 0.00296
scoring_system epss
scoring_elements 0.5287
published_at 2026-04-07T12:55:00Z
8
value 0.00296
scoring_system epss
scoring_elements 0.52901
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id 2319034
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
9
reference_url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
reference_id 56b2fc3302836405b496e196a8d5fc0195e55049
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
10
reference_url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
reference_id 7c1398854d51f9bb193fb79f226647351133d08a
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
11
reference_url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_id 8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47887
reference_id CVE-2024-47887
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-47887
13
reference_url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_id f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
14
reference_url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
reference_id GHSA-vfg9-r3fq-jvx4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
15
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:gem/actionpack@6.1.7.9
purl pkg:gem/actionpack@6.1.7.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9
1
url pkg:gem/actionpack@7.0.0.alpha1
purl pkg:gem/actionpack@7.0.0.alpha1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ehbj-aezy-d7h4
2
vulnerability VCID-g3rk-djae-pkeh
3
vulnerability VCID-hppf-a715-r7b2
4
vulnerability VCID-sfyc-jewr-wuf5
5
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1
2
url pkg:gem/actionpack@7.0.8.5
purl pkg:gem/actionpack@7.0.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5
3
url pkg:gem/actionpack@7.1.0.beta1
purl pkg:gem/actionpack@7.1.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ehbj-aezy-d7h4
1
vulnerability VCID-g3rk-djae-pkeh
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1
4
url pkg:gem/actionpack@7.1.4.1
purl pkg:gem/actionpack@7.1.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1
5
url pkg:gem/actionpack@7.2.0.beta1
purl pkg:gem/actionpack@7.2.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-p22r-u1dd-b7b3
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1
6
url pkg:gem/actionpack@7.2.1.1
purl pkg:gem/actionpack@7.2.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1
7
url pkg:gem/actionpack@8.0.0.beta1
purl pkg:gem/actionpack@8.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-sfyc-jewr-wuf5
2
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1
aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sfyc-jewr-wuf5
10
url VCID-sgdb-985e-4uej
vulnerability_id VCID-sgdb-985e-4uej
summary 
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact
------

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
1
reference_url https://access.redhat.com/security/cve/cve-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://access.redhat.com/security/cve/cve-2024-41128
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
reference_id
reference_type
scores
0
value 0.00605
scoring_system epss
scoring_elements 0.69624
published_at 2026-04-09T12:55:00Z
1
value 0.00605
scoring_system epss
scoring_elements 0.69608
published_at 2026-04-08T12:55:00Z
2
value 0.00605
scoring_system epss
scoring_elements 0.69557
published_at 2026-04-07T12:55:00Z
3
value 0.00605
scoring_system epss
scoring_elements 0.69562
published_at 2026-04-02T12:55:00Z
4
value 0.00605
scoring_system epss
scoring_elements 0.69578
published_at 2026-04-04T12:55:00Z
5
value 0.00605
scoring_system epss
scoring_elements 0.69657
published_at 2026-04-16T12:55:00Z
6
value 0.00605
scoring_system epss
scoring_elements 0.69618
published_at 2026-04-13T12:55:00Z
7
value 0.00605
scoring_system epss
scoring_elements 0.69632
published_at 2026-04-12T12:55:00Z
8
value 0.00605
scoring_system epss
scoring_elements 0.69647
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
8
reference_url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
9
reference_url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
10
reference_url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
15
reference_url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
reference_id GHSA-x76w-6vjr-8xgj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
16
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:gem/actionpack@6.1.7.9
purl pkg:gem/actionpack@6.1.7.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9
1
url pkg:gem/actionpack@7.0.0.alpha1
purl pkg:gem/actionpack@7.0.0.alpha1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ehbj-aezy-d7h4
2
vulnerability VCID-g3rk-djae-pkeh
3
vulnerability VCID-hppf-a715-r7b2
4
vulnerability VCID-sfyc-jewr-wuf5
5
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1
2
url pkg:gem/actionpack@7.0.8.5
purl pkg:gem/actionpack@7.0.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5
3
url pkg:gem/actionpack@7.1.0.beta1
purl pkg:gem/actionpack@7.1.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ehbj-aezy-d7h4
1
vulnerability VCID-g3rk-djae-pkeh
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1
4
url pkg:gem/actionpack@7.1.4.1
purl pkg:gem/actionpack@7.1.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1
5
url pkg:gem/actionpack@7.2.0.beta1
purl pkg:gem/actionpack@7.2.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-p22r-u1dd-b7b3
2
vulnerability VCID-sfyc-jewr-wuf5
3
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1
6
url pkg:gem/actionpack@7.2.1.1
purl pkg:gem/actionpack@7.2.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1
7
url pkg:gem/actionpack@8.0.0.beta1
purl pkg:gem/actionpack@8.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g3rk-djae-pkeh
1
vulnerability VCID-sfyc-jewr-wuf5
2
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1
aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sgdb-985e-4uej
Fixing_vulnerabilities
0
url VCID-gjey-bqtd-kqa1
vulnerability_id VCID-gjey-bqtd-kqa1
summary 
Action Pack contains Information Disclosure / Unintended Method Execution vulnerability
Impact
------
There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.

Vulnerable code will look like this.

```
redirect_to(params[:some_param])
```

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
To work around this problem, it is recommended to use an allow list for valid parameters passed from the user.  For example,

```ruby
private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end
```

Or force the user input to be cast to a string like this,

```ruby
def index
  redirect_to(params[:some_param].to_s)
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 5-2-information-disclosure.patch - Patch for 5.2 series
* 6-0-information-disclosure.patch - Patch for 6.0 series
* 6-1-information-disclosure.patch - Patch for 6.1 series

Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Benoit Côté-Jodoin from Shopify for reporting this.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22885
reference_id
reference_type
scores
0
value 0.03096
scoring_system epss
scoring_elements 0.86805
published_at 2026-04-11T12:55:00Z
1
value 0.03096
scoring_system epss
scoring_elements 0.86812
published_at 2026-04-16T12:55:00Z
2
value 0.03096
scoring_system epss
scoring_elements 0.86736
published_at 2026-04-01T12:55:00Z
3
value 0.03096
scoring_system epss
scoring_elements 0.86797
published_at 2026-04-13T12:55:00Z
4
value 0.03096
scoring_system epss
scoring_elements 0.86746
published_at 2026-04-02T12:55:00Z
5
value 0.03096
scoring_system epss
scoring_elements 0.86765
published_at 2026-04-04T12:55:00Z
6
value 0.03096
scoring_system epss
scoring_elements 0.86763
published_at 2026-04-07T12:55:00Z
7
value 0.03096
scoring_system epss
scoring_elements 0.86783
published_at 2026-04-08T12:55:00Z
8
value 0.03096
scoring_system epss
scoring_elements 0.86791
published_at 2026-04-09T12:55:00Z
9
value 0.03096
scoring_system epss
scoring_elements 0.86802
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22885
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
7
reference_url https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
8
reference_url https://hackerone.com/reports/1106652
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1106652
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22885
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22885
10
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
11
reference_url https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210805-0009/
12
reference_url https://www.debian.org/security/2021/dsa-4929
reference_id
reference_type
scores
url https://www.debian.org/security/2021/dsa-4929
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1957441
reference_id 1957441
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1957441
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
15
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
16
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
17
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
18
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
19
reference_url https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
reference_id GHSA-hjg4-8q5f-x6fm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
20
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:gem/actionpack@5.2.4.6
purl pkg:gem/actionpack@5.2.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-msda-xqbp-qfdd
8
vulnerability VCID-p5mc-r1rg-5ff7
9
vulnerability VCID-sfyc-jewr-wuf5
10
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.6
1
url pkg:gem/actionpack@5.2.6
purl pkg:gem/actionpack@5.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-msda-xqbp-qfdd
8
vulnerability VCID-p5mc-r1rg-5ff7
9
vulnerability VCID-sfyc-jewr-wuf5
10
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6
2
url pkg:gem/actionpack@6.0.3.7
purl pkg:gem/actionpack@6.0.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-msda-xqbp-qfdd
10
vulnerability VCID-p5mc-r1rg-5ff7
11
vulnerability VCID-sfyc-jewr-wuf5
12
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7
3
url pkg:gem/actionpack@6.1.3.1
purl pkg:gem/actionpack@6.1.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-gjey-bqtd-kqa1
8
vulnerability VCID-hppf-a715-r7b2
9
vulnerability VCID-jwun-grgg-2uet
10
vulnerability VCID-msda-xqbp-qfdd
11
vulnerability VCID-p22r-u1dd-b7b3
12
vulnerability VCID-p5mc-r1rg-5ff7
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-wg3a-j2dp-ayh4
16
vulnerability VCID-wyy6-h8bq-vyde
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.1
4
url pkg:gem/actionpack@6.1.3.2
purl pkg:gem/actionpack@6.1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-p22r-u1dd-b7b3
10
vulnerability VCID-p5mc-r1rg-5ff7
11
vulnerability VCID-sfyc-jewr-wuf5
12
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2
aliases CVE-2021-22885, GHSA-hjg4-8q5f-x6fm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gjey-bqtd-kqa1
1
url VCID-wg3a-j2dp-ayh4
vulnerability_id VCID-wg3a-j2dp-ayh4
summary 
Possible DoS Vulnerability in Action Controller Token Authentication
There is a possible DoS vulnerability in the Token Authentication logic in Action Controller.

Versions Affected:  >= 4.0.0
Not affected:       < 4.0.0
Fixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact
------
Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:

```
class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end
```

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch placed in an initializer can be used to work around the issue:

```ruby
module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 5-2-http-authentication-dos.patch - Patch for 5.2 series
* 6-0-http-authentication-dos.patch - Patch for 6.0 series
* 6-1-http-authentication-dos.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------
Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
reference_id
reference_type
scores
0
value 0.07856
scoring_system epss
scoring_elements 0.92022
published_at 2026-04-16T12:55:00Z
1
value 0.07856
scoring_system epss
scoring_elements 0.92007
published_at 2026-04-12T12:55:00Z
2
value 0.07856
scoring_system epss
scoring_elements 0.92004
published_at 2026-04-13T12:55:00Z
3
value 0.07856
scoring_system epss
scoring_elements 0.92
published_at 2026-04-08T12:55:00Z
4
value 0.07856
scoring_system epss
scoring_elements 0.91987
published_at 2026-04-07T12:55:00Z
5
value 0.07856
scoring_system epss
scoring_elements 0.91981
published_at 2026-04-04T12:55:00Z
6
value 0.07856
scoring_system epss
scoring_elements 0.91966
published_at 2026-04-01T12:55:00Z
7
value 0.07856
scoring_system epss
scoring_elements 0.91974
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/releases/tag/v5.2.4.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.4.6
9
reference_url https://github.com/rails/rails/releases/tag/v5.2.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.6
10
reference_url https://github.com/rails/rails/releases/tag/v6.0.3.7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.0.3.7
11
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
14
reference_url https://hackerone.com/reports/1101125
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1101125
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
16
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
17
reference_url https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210805-0009/
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
reference_id 1961379
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
20
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
21
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
22
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
23
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
24
reference_url https://github.com/advisories/GHSA-7wjx-3g7j-8584
reference_id GHSA-7wjx-3g7j-8584
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7wjx-3g7j-8584
25
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:gem/actionpack@5.2.4.6
purl pkg:gem/actionpack@5.2.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-msda-xqbp-qfdd
8
vulnerability VCID-p5mc-r1rg-5ff7
9
vulnerability VCID-sfyc-jewr-wuf5
10
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.6
1
url pkg:gem/actionpack@5.2.6
purl pkg:gem/actionpack@5.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-ce39-j83r-6ug9
2
vulnerability VCID-dd9p-x7k3-37ea
3
vulnerability VCID-ehbj-aezy-d7h4
4
vulnerability VCID-g3rk-djae-pkeh
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-msda-xqbp-qfdd
8
vulnerability VCID-p5mc-r1rg-5ff7
9
vulnerability VCID-sfyc-jewr-wuf5
10
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6
2
url pkg:gem/actionpack@6.0.3.7
purl pkg:gem/actionpack@6.0.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-msda-xqbp-qfdd
10
vulnerability VCID-p5mc-r1rg-5ff7
11
vulnerability VCID-sfyc-jewr-wuf5
12
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7
3
url pkg:gem/actionpack@6.1.3.2
purl pkg:gem/actionpack@6.1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-ce39-j83r-6ug9
4
vulnerability VCID-dd9p-x7k3-37ea
5
vulnerability VCID-ehbj-aezy-d7h4
6
vulnerability VCID-g3rk-djae-pkeh
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-p22r-u1dd-b7b3
10
vulnerability VCID-p5mc-r1rg-5ff7
11
vulnerability VCID-sfyc-jewr-wuf5
12
vulnerability VCID-sgdb-985e-4uej
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2
aliases CVE-2021-22904, GHSA-7wjx-3g7j-8584
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6