VulnerableCode Package Details - pkg:gem/actionpack-page

Search for packages

Vulnerability	Summary	Fixed by
VCID-gjey-bqtd-kqa1 Aliases: CVE-2021-22885 GHSA-hjg4-8q5f-x6fm	Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-gjey-bqtd-kqa1
Aliases:
CVE-2021-22885
GHSA-hjg4-8q5f-x6fm

Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-3efe-hmaw-u7fn	Arbitrary file write in actionpack-page_caching gem There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.	CVE-2020-8159 GHSA-mg5p-95m9-rmfp

Vulnerability

Summary

Aliases

VCID-3efe-hmaw-u7fn

Arbitrary file write in actionpack-page_caching gem There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

CVE-2020-8159
GHSA-mg5p-95m9-rmfp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:25:24.843376+00:00	GitLab Importer	Affected by	VCID-gjey-bqtd-kqa1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2021-22885.yml	38.4.0
2026-04-16T21:03:17.800402+00:00	GitLab Importer	Fixing	VCID-3efe-hmaw-u7fn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2020-8159.yml	38.4.0
2026-04-11T22:38:11.263883+00:00	GitLab Importer	Affected by	VCID-gjey-bqtd-kqa1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2021-22885.yml	38.3.0
2026-04-11T22:14:40.904554+00:00	GitLab Importer	Fixing	VCID-3efe-hmaw-u7fn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2020-8159.yml	38.3.0
2026-04-02T22:48:53.357257+00:00	GitLab Importer	Affected by	VCID-gjey-bqtd-kqa1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2021-22885.yml	38.1.0
2026-04-02T22:26:59.373952+00:00	GitLab Importer	Fixing	VCID-3efe-hmaw-u7fn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2020-8159.yml	38.1.0
2026-04-01T17:06:45.184315+00:00	GitLab Importer	Affected by	VCID-gjey-bqtd-kqa1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2021-22885.yml	38.0.0
2026-04-01T16:44:57.036584+00:00	GitLab Importer	Fixing	VCID-3efe-hmaw-u7fn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack-page_caching/CVE-2020-8159.yml	38.0.0
2026-04-01T15:58:07.370632+00:00	GHSA Importer	Fixing	VCID-3efe-hmaw-u7fn	https://github.com/advisories/GHSA-mg5p-95m9-rmfp	38.0.0
2026-04-01T13:00:34.655684+00:00	GithubOSV Importer	Fixing	VCID-3efe-hmaw-u7fn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-mg5p-95m9-rmfp/GHSA-mg5p-95m9-rmfp.json	38.0.0