{"url":"http://public2.vulnerablecode.io/api/packages/136955?format=json","purl":"pkg:gem/actionpack@6.1.1","type":"gem","namespace":"","name":"actionpack","version":"6.1.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.8.7","latest_non_vulnerable_version":"8.1.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42224?format=json","vulnerability_id":"VCID-12x8-jxdf-jqdz","summary":"Actionpack Open Redirect Vulnerability\nThe Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22881","reference_id":"","reference_type":"","scores":[{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94619","published_at":"2026-04-01T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94665","published_at":"2026-04-16T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94656","published_at":"2026-04-13T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94652","published_at":"2026-04-11T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94648","published_at":"2026-04-09T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94644","published_at":"2026-04-08T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94634","published_at":"2026-04-07T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94632","published_at":"2026-04-04T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94626","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22881"},{"reference_url":"https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md"},{"reference_url":"https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E"},{"reference_url":"https://hackerone.com/reports/1047447","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1047447"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22881","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22881"},{"reference_url":"https://rubygems.org/gems/actionpack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/actionpack"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/05/2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/05/05/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/08/20/1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/08/20/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/14/5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/14/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1930211","reference_id":"1930211","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1930211"},{"reference_url":"https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/","reference_id":"CVE-2021-22881-FAILLE-DE-SECURITE-DANS-LE-MIDDLEWARE-HOSTAUTHORIZATION","reference_type":"","scores":[],"url":"https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/"},{"reference_url":"https://github.com/advisories/GHSA-8877-prq4-9xfw","reference_id":"GHSA-8877-prq4-9xfw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8877-prq4-9xfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75993?format=json","purl":"pkg:gem/actionpack@6.1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.2.1"}],"aliases":["CVE-2021-22881","GHSA-8877-prq4-9xfw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-12x8-jxdf-jqdz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11124?format=json","vulnerability_id":"VCID-1bxs-yghe-cyck","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nA possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942","reference_id":"","reference_type":"","scores":[{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67302","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67412","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67424","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67413","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67339","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67378","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67403","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.6739","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67361","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c"},{"reference_url":"https://rubygems.org/gems/actionpack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/actionpack"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0005"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240202-0005/"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/14/5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/14/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940","reference_id":"1995940","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586","reference_id":"992586","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586"},{"reference_url":"https://security.archlinux.org/AVG-2492","reference_id":"AVG-2492","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2492"},{"reference_url":"https://security.archlinux.org/AVG-2493","reference_id":"AVG-2493","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2493"},{"reference_url":"https://access.redhat.com/security/cve/cve-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/cve-2021-22942"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml","reference_id":"CVE-2021-22942.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml"},{"reference_url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c","reference_id":"GHSA-2rqw-v265-jf8c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39179?format=json","purl":"pkg:gem/actionpack@6.1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.1"}],"aliases":["CVE-2021-22942","GHSA-2rqw-v265-jf8c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1bxs-yghe-cyck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11789?format=json","vulnerability_id":"VCID-1x8k-t8mr-3fgp","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nA open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a \"X-Forwarded-Host\" headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44528","reference_id":"","reference_type":"","scores":[{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96188","published_at":"2026-04-16T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.9618","published_at":"2026-04-13T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96178","published_at":"2026-04-12T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96175","published_at":"2026-04-09T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96171","published_at":"2026-04-08T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.9615","published_at":"2026-04-02T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96142","published_at":"2026-04-01T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96161","published_at":"2026-04-07T12:55:00Z"},{"value":"0.25125","scoring_system":"epss","scoring_elements":"0.96158","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021"},{"reference_url":"https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815"},{"reference_url":"https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240208-0003","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240208-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240208-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240208-0003/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817","reference_id":"1001817","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2034266","reference_id":"2034266","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2034266"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44528","reference_id":"CVE-2021-44528","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44528"},{"reference_url":"https://github.com/advisories/GHSA-qphc-hf5q-v8fc","reference_id":"GHSA-qphc-hf5q-v8fc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qphc-hf5q-v8fc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42281?format=json","purl":"pkg:gem/actionpack@6.1.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"}],"aliases":["CVE-2021-44528","GHSA-qphc-hf5q-v8fc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1x8k-t8mr-3fgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16106?format=json","vulnerability_id":"VCID-63gy-6njy-kbd8","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792","reference_id":"","reference_type":"","scores":[{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85729","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85707","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85711","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85715","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85701","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85689","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85646","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.8567","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85663","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800","reference_id":"2164800","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792","reference_id":"CVE-2023-22792","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792"},{"reference_url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj","reference_id":"GHSA-p84v-45xj-wwqj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007/","reference_id":"ntap-20240202-0007","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55418?format=json","purl":"pkg:gem/actionpack@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55815?format=json","purl":"pkg:gem/actionpack@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1"}],"aliases":["CVE-2023-22792","GHSA-p84v-45xj-wwqj","GMS-2023-58"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13952?format=json","vulnerability_id":"VCID-ce39-j83r-6ug9","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22577","reference_id":"","reference_type":"","scores":[{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52201","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.5216","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52175","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52192","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52141","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52145","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52091","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52099","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00287","scoring_system":"epss","scoring_elements":"0.52126","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec"},{"reference_url":"https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508"},{"reference_url":"https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b"},{"reference_url":"https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809"},{"reference_url":"https://github.com/rails/rails/pull/44635","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/pull/44635"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"},{"reference_url":"https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221118-0002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20221118-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221118-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20221118-0002/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941","reference_id":"1011941","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080302","reference_id":"2080302","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080302"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22577","reference_id":"CVE-2022-22577","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22577"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml","reference_id":"CVE-2022-22577.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml"},{"reference_url":"https://github.com/advisories/GHSA-mm33-5vfq-3mm3","reference_id":"GHSA-mm33-5vfq-3mm3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mm33-5vfq-3mm3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79894?format=json","purl":"pkg:gem/actionpack@6.1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79895?format=json","purl":"pkg:gem/actionpack@7.0.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6tty-dbwx-rbgx"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4"}],"aliases":["CVE-2022-22577","GHSA-mm33-5vfq-3mm3","GMS-2022-1137"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ce39-j83r-6ug9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18130?format=json","vulnerability_id":"VCID-dd9p-x7k3-37ea","summary":"Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to\nThe `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.\n\nVersions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28362","reference_id":"","reference_type":"","scores":[{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45215","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45164","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45162","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45194","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45174","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45173","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45177","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.4512","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45155","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28362"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3","scoring_elements":""},{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441"},{"reference_url":"https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5"},{"reference_url":"https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250502-0009","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250502-0009"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058","reference_id":"1051058","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2217785","reference_id":"2217785","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2217785"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28362","reference_id":"CVE-2023-28362","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28362"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml","reference_id":"CVE-2023-28362.YML","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml"},{"reference_url":"https://github.com/advisories/GHSA-4g8v-vg43-wpgf","reference_id":"GHSA-4g8v-vg43-wpgf","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://github.com/advisories/GHSA-4g8v-vg43-wpgf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7851","reference_id":"RHSA-2023:7851","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7851"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58478?format=json","purl":"pkg:gem/actionpack@6.1.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.4"},{"url":"http://public2.vulnerablecode.io/api/packages/58479?format=json","purl":"pkg:gem/actionpack@7.0.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.5.1"}],"aliases":["CVE-2023-28362","GHSA-4g8v-vg43-wpgf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dd9p-x7k3-37ea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15032?format=json","vulnerability_id":"VCID-ehbj-aezy-d7h4","summary":"Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n\nThere is a possible ReDoS vulnerability in the Accept header parsing routines\nof Action Dispatch. This vulnerability has been assigned the CVE identifier\nCVE-2024-26142.\n\nVersions Affected:  >= 7.1.0, < 7.1.3.1\nNot affected:       < 7.1.0\nFixed Versions:     7.1.3.1\n\nImpact\n------\nCarefully crafted Accept headers can cause Accept header parsing in Action\nDispatch to take an unexpected amount of time, possibly resulting in a DoS\nvulnerability.  All users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby\n3.2 or newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 7-1-accept-redox.patch - Patch for 7.1 series\n\nCredits\n-------\nThanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26142","reference_id":"","reference_type":"","scores":[{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87692","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87677","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.8768","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87685","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87632","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87647","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87645","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87674","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87667","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26142"},{"reference_url":"https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26142","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26142"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266324","reference_id":"2266324","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266324"},{"reference_url":"https://github.com/advisories/GHSA-jjhx-jhvp-74wq","reference_id":"GHSA-jjhx-jhvp-74wq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjhx-jhvp-74wq"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240503-0003/","reference_id":"ntap-20240503-0003","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240503-0003/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52891?format=json","purl":"pkg:gem/actionpack@7.1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1"}],"aliases":["CVE-2024-26142","GHSA-jjhx-jhvp-74wq"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ehbj-aezy-d7h4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14522?format=json","vulnerability_id":"VCID-g3rk-djae-pkeh","summary":"Possible Content Security Policy bypass in Action Dispatch\nThere is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.\n\nImpact\n------\nApplications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nApplications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\n\nCredits\n-------\nThanks to [ryotak](https://hackerone.com/ryotak) for the report!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-54133","reference_id":"","reference_type":"","scores":[{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.31424","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.31466","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40871","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40906","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40834","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.4089","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40883","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40895","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40852","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-54133"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"},{"reference_url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"},{"reference_url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"},{"reference_url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250306-0010","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250306-0010"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755","reference_id":"1089755","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331619","reference_id":"2331619","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331619"},{"reference_url":"https://github.com/advisories/GHSA-vfm5-rmrh-j26v","reference_id":"GHSA-vfm5-rmrh-j26v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfm5-rmrh-j26v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50946?format=json","purl":"pkg:gem/actionpack@7.0.8.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.7"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/50947?format=json","purl":"pkg:gem/actionpack@7.1.5.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58922?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/50948?format=json","purl":"pkg:gem/actionpack@7.2.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/139267?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/50949?format=json","purl":"pkg:gem/actionpack@8.0.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.1"}],"aliases":["CVE-2024-54133","GHSA-vfm5-rmrh-j26v"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3rk-djae-pkeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47751?format=json","vulnerability_id":"VCID-gjey-bqtd-kqa1","summary":"Action Pack contains Information Disclosure / Unintended Method Execution vulnerability\nImpact\n------\nThere is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.\n\nVulnerable code will look like this.\n\n```\nredirect_to(params[:some_param])\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nTo work around this problem, it is recommended to use an allow list for valid parameters passed from the user.  For example,\n\n```ruby\nprivate def check(param)\n  case param\n  when \"valid\"\n    param\n  else\n    \"/\"\n  end\nend\n\ndef index\n  redirect_to(check(params[:some_param]))\nend\n```\n\nOr force the user input to be cast to a string like this,\n\n```ruby\ndef index\n  redirect_to(params[:some_param].to_s)\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-information-disclosure.patch - Patch for 5.2 series\n* 6-0-information-disclosure.patch - Patch for 6.0 series\n* 6-1-information-disclosure.patch - Patch for 6.1 series\n\nPlease note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\n\nThanks to Benoit Côté-Jodoin from Shopify for reporting this.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22885","reference_id":"","reference_type":"","scores":[{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86805","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86812","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86736","published_at":"2026-04-01T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86797","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86746","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86765","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86763","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86783","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86791","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86802","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI"},{"reference_url":"https://hackerone.com/reports/1106652","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1106652"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22885","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22885"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4929","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2021/dsa-4929"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957441","reference_id":"1957441","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957441"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-hjg4-8q5f-x6fm","reference_id":"GHSA-hjg4-8q5f-x6fm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjg4-8q5f-x6fm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/136958?format=json","purl":"pkg:gem/actionpack@6.1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/77105?format=json","purl":"pkg:gem/actionpack@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2"}],"aliases":["CVE-2021-22885","GHSA-hjg4-8q5f-x6fm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gjey-bqtd-kqa1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16390?format=json","vulnerability_id":"VCID-hppf-a715-r7b2","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795","reference_id":"","reference_type":"","scores":[{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81303","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.8121","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81234","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81267","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81288","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81274","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81266","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"},{"reference_url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"},{"reference_url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.7.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.7.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799","reference_id":"2164799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795","reference_id":"CVE-2023-22795","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795"},{"reference_url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv","reference_id":"GHSA-8xww-x3g3-6jcv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55418?format=json","purl":"pkg:gem/actionpack@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55815?format=json","purl":"pkg:gem/actionpack@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1"}],"aliases":["CVE-2023-22795","GHSA-8xww-x3g3-6jcv","GMS-2023-56"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12862?format=json","vulnerability_id":"VCID-jwun-grgg-2uet","summary":"Exposure of information in Action Pack\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23633","reference_id":"","reference_type":"","scores":[{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58669","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58687","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58648","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.5868","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58667","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58623","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.5861","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58643","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58662","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23633"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23634","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63267","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6327","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63233","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63269","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63284","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6325","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63198","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00453","scoring_system":"epss","scoring_elements":"0.63789","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00453","scoring_system":"epss","scoring_elements":"0.63763","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23634"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puma/puma","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puma/puma"},{"reference_url":"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"},{"reference_url":"https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released"},{"reference_url":"https://security.gentoo.org/glsa/202208-28","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-28"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240119-0013","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240119-0013"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240119-0013/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240119-0013/"},{"reference_url":"https://www.debian.org/security/2022/dsa-5146","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2022/dsa-5146"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/02/11/5","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2022/02/11/5"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389","reference_id":"1005389","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391","reference_id":"1005391","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2054211","reference_id":"2054211","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2054211"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2063149","reference_id":"2063149","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2063149"},{"reference_url":"https://security.archlinux.org/AVG-2764","reference_id":"AVG-2764","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2764"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23633","reference_id":"CVE-2022-23633","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23633"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23634","reference_id":"CVE-2022-23634","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23634"},{"reference_url":"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h","reference_id":"GHSA-rmj8-8hhh-gv5h","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"},{"reference_url":"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h","reference_id":"GHSA-rmj8-8hhh-gv5h","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"},{"reference_url":"https://github.com/advisories/GHSA-wh98-p28r-vrc9","reference_id":"GHSA-wh98-p28r-vrc9","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wh98-p28r-vrc9"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9","reference_id":"GHSA-wh98-p28r-vrc9","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5498","reference_id":"RHSA-2022:5498","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5498"},{"reference_url":"https://usn.ubuntu.com/6682-1/","reference_id":"USN-6682-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6682-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46104?format=json","purl":"pkg:gem/actionpack@6.1.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/46105?format=json","purl":"pkg:gem/actionpack@7.0.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6tty-dbwx-rbgx"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.2"}],"aliases":["CVE-2022-23633","CVE-2022-23634","GHSA-rmj8-8hhh-gv5h","GHSA-wh98-p28r-vrc9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jwun-grgg-2uet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47598?format=json","vulnerability_id":"VCID-msda-xqbp-qfdd","summary":"Possible Open Redirect Vulnerability in Action Pack\nThere is a possible Open Redirect Vulnerability in Action Pack.\n\nVersions Affected:  >= v6.1.0.rc2\nNot affected:       < v6.1.0.rc2\nFixed Versions:     6.1.3.2\n\nImpact\n------\nThis is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious\nwebsite.\n\nSince rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << \"sub.example.com\" to permit a request with a Host header value of sub-example.com.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch put in an initializer can be used as a workaround.\n\n```ruby\nclass ActionDispatch::HostAuthorization::Permissions\n  def sanitize_string(host)\n    if host.start_with?(\".\")\n      /\\A(.+\\.)?#{Regexp.escape(host[1..-1])}\\z/i\n    else\n      /\\A#{Regexp.escape host}\\z/i\n    end\n  end\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 6-1-open-redirect.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\n\nThanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22903","reference_id":"","reference_type":"","scores":[{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35808","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35768","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35791","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.3592","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35831","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35823","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35801","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35693","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35751","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.3589","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22903"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0"},{"reference_url":"https://hackerone.com/reports/1148025","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1148025"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22903","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22903"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957438","reference_id":"1957438","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957438"},{"reference_url":"https://security.archlinux.org/AVG-1919","reference_id":"AVG-1919","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1919"},{"reference_url":"https://github.com/advisories/GHSA-5hq2-xf89-9jxq","reference_id":"GHSA-5hq2-xf89-9jxq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5hq2-xf89-9jxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77105?format=json","purl":"pkg:gem/actionpack@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2"}],"aliases":["CVE-2021-22903","GHSA-5hq2-xf89-9jxq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-msda-xqbp-qfdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18383?format=json","vulnerability_id":"VCID-p22r-u1dd-b7b3","summary":"Missing security headers in Action Pack on non-HTML responses\n# Permissions-Policy is Only Served on HTML Content-Type\n\nThe application configurable Permissions-Policy is only served on responses\nwith an HTML related Content-Type.\n\nThis has been assigned the CVE identifier CVE-2024-28103.\n\n\nVersions Affected:  >= 6.1.0\nNot affected:       < 6.1.0\nFixed Versions:     6.1.7.8, 7.0.8.4, and 7.1.3.4\n\nImpact\n------\nResponses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nN/A\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe supported release series in accordance with our \n[maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues)\nregarding security issues. They are in git-am format and consist of a\nsingle changeset.\n\n* 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series\n* 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series\n* 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series\n\n\n\nCredits\n-------\n\nThank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28103","reference_id":"","reference_type":"","scores":[{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74613","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74576","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74585","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74604","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74581","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74565","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74533","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74559","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.74532","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28103"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/"}],"url":"https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28103","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28103"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241206-0002","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20241206-0002"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705","reference_id":"1072705","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2290530","reference_id":"2290530","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2290530"},{"reference_url":"https://github.com/advisories/GHSA-fwhr-88qx-h9g7","reference_id":"GHSA-fwhr-88qx-h9g7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fwhr-88qx-h9g7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58909?format=json","purl":"pkg:gem/actionpack@6.1.7.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.8"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/58913?format=json","purl":"pkg:gem/actionpack@7.0.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.4"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/58917?format=json","purl":"pkg:gem/actionpack@7.1.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.4"},{"url":"http://public2.vulnerablecode.io/api/packages/58923?format=json","purl":"pkg:gem/actionpack@7.2.0.beta2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta2"}],"aliases":["CVE-2024-28103","GHSA-fwhr-88qx-h9g7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p22r-u1dd-b7b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13941?format=json","vulnerability_id":"VCID-p5mc-r1rg-5ff7","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-27777","reference_id":"","reference_type":"","scores":[{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.7586","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75823","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75829","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75848","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75824","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75812","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.7578","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75801","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75768","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"},{"reference_url":"https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982","reference_id":"1016982","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080296","reference_id":"2080296","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080296"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27777","reference_id":"CVE-2022-27777","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27777"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml","reference_id":"CVE-2022-27777.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml"},{"reference_url":"https://github.com/advisories/GHSA-ch3h-j2vf-95pv","reference_id":"GHSA-ch3h-j2vf-95pv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ch3h-j2vf-95pv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79894?format=json","purl":"pkg:gem/actionpack@6.1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79895?format=json","purl":"pkg:gem/actionpack@7.0.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6tty-dbwx-rbgx"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4"}],"aliases":["CVE-2022-27777","GHSA-ch3h-j2vf-95pv","GMS-2022-1138"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p5mc-r1rg-5ff7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11785?format=json","vulnerability_id":"VCID-sfyc-jewr-wuf5","summary":"Possible ReDoS vulnerability in HTTP Token authentication in Action Controller\nThere is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.\n\nImpact\n------\n\nFor applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers on Ruby 3.2 are unaffected by this issue.\n\n\nCredits\n-------\nThanks to [scyoon](https://hackerone.com/scyoon) for reporting","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47887","reference_id":"","reference_type":"","scores":[{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.5297","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52876","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52932","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52948","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52964","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52914","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.5292","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.5287","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52901","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47887"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376","reference_id":"1085376","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319034","reference_id":"2319034","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319034"},{"reference_url":"https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049","reference_id":"56b2fc3302836405b496e196a8d5fc0195e55049","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049"},{"reference_url":"https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a","reference_id":"7c1398854d51f9bb193fb79f226647351133d08a","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a"},{"reference_url":"https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545","reference_id":"8e057db25bff1dc7a98e9ae72e0083825b9ac545","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47887","reference_id":"CVE-2024-47887","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47887"},{"reference_url":"https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2","reference_id":"f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2"},{"reference_url":"https://github.com/advisories/GHSA-vfg9-r3fq-jvx4","reference_id":"GHSA-vfg9-r3fq-jvx4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfg9-r3fq-jvx4"},{"reference_url":"https://usn.ubuntu.com/7290-1/","reference_id":"USN-7290-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7290-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42273?format=json","purl":"pkg:gem/actionpack@6.1.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/42274?format=json","purl":"pkg:gem/actionpack@7.0.8.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42276?format=json","purl":"pkg:gem/actionpack@7.1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58922?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42277?format=json","purl":"pkg:gem/actionpack@7.2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/139267?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"}],"aliases":["CVE-2024-47887","GHSA-vfg9-r3fq-jvx4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sfyc-jewr-wuf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11925?format=json","vulnerability_id":"VCID-sgdb-985e-4uej","summary":"Possible ReDoS vulnerability in query parameter filtering in Action Dispatch\nThere is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.\n\nImpact\n------\n\nCarefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers on Ruby 3.2 are unaffected by this issue.\n\n\nCredits\n-------\n\nThanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json"},{"reference_url":"https://access.redhat.com/security/cve/cve-2024-41128","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://access.redhat.com/security/cve/cve-2024-41128"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41128","reference_id":"","reference_type":"","scores":[{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69624","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69608","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69557","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69562","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69578","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69657","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69618","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69632","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69647","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41128"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319036","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319036"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075"},{"reference_url":"https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef"},{"reference_url":"https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891"},{"reference_url":"https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41128","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41128"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376","reference_id":"1085376","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376"},{"reference_url":"https://github.com/advisories/GHSA-x76w-6vjr-8xgj","reference_id":"GHSA-x76w-6vjr-8xgj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x76w-6vjr-8xgj"},{"reference_url":"https://usn.ubuntu.com/7290-1/","reference_id":"USN-7290-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7290-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42273?format=json","purl":"pkg:gem/actionpack@6.1.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/42274?format=json","purl":"pkg:gem/actionpack@7.0.8.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42276?format=json","purl":"pkg:gem/actionpack@7.1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58922?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42277?format=json","purl":"pkg:gem/actionpack@7.2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/139267?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"}],"aliases":["CVE-2024-41128","GHSA-x76w-6vjr-8xgj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sgdb-985e-4uej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47410?format=json","vulnerability_id":"VCID-wg3a-j2dp-ayh4","summary":"Possible DoS Vulnerability in Action Controller Token Authentication\nThere is a possible DoS vulnerability in the Token Authentication logic in Action Controller.\n\nVersions Affected:  >= 4.0.0\nNot affected:       < 4.0.0\nFixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nImpacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:\n\n```\nclass PostsController < ApplicationController\n  before_action :authenticate\n\n  private\n\n  def authenticate\n    authenticate_or_request_with_http_token do |token, options|\n      # ...\n    end\n  end\nend\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around the issue:\n\n```ruby\nmodule ActionController::HttpAuthentication::Token\n  AUTHN_PAIR_DELIMITERS = /(?:,|;|\\t)/\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-http-authentication-dos.patch - Patch for 5.2 series\n* 6-0-http-authentication-dos.patch - Patch for 6.0 series\n* 6-1-http-authentication-dos.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\nThank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92022","published_at":"2026-04-16T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92007","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92004","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91987","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91981","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91966","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91974","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.4.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.4.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"},{"reference_url":"https://hackerone.com/reports/1101125","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1101125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379","reference_id":"1961379","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584","reference_id":"GHSA-7wjx-3g7j-8584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77105?format=json","purl":"pkg:gem/actionpack@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2"}],"aliases":["CVE-2021-22904","GHSA-7wjx-3g7j-8584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48826?format=json","vulnerability_id":"VCID-wyy6-h8bq-vyde","summary":"Denial of Service in Action Dispatch\nImpact\n------\nThere is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around the issue.\n\n```ruby\nmodule Mime\n  class Type\n    MIME_REGEXP = /\\A(?:\\*\\/\\*|#{MIME_NAME}\\/(?:\\*|#{MIME_NAME})(?>\\s*#{MIME_PARAMETER}\\s*)*)\\z/\n  end\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series\n* 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\n\nThanks to Security Curious <security...@pm.me> for reporting this!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22902","reference_id":"","reference_type":"","scores":[{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77701","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77664","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77665","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77681","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77655","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77649","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77605","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77621","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77639","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01063","scoring_system":"epss","scoring_elements":"0.77612","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22902"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c"},{"reference_url":"https://hackerone.com/reports/1138654","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1138654"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22902","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22902"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961382","reference_id":"1961382","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961382"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-g8ww-46x2-2p65","reference_id":"GHSA-g8ww-46x2-2p65","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g8ww-46x2-2p65"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77104?format=json","purl":"pkg:gem/actionpack@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/136955?format=json","purl":"pkg:gem/actionpack@6.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/77105?format=json","purl":"pkg:gem/actionpack@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2"}],"aliases":["CVE-2021-22902","GHSA-g8ww-46x2-2p65"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wyy6-h8bq-vyde"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.1"}